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‘Internet of Things and the Law is an impressive work on several levels. It 
exposes inadequate consumer safeguards in the current “contractual quagmire” 
and complex, overlapping regulatory regimes governing the IOT. Noto 
La Diega masterfully analyzes the relevant privacy, intellectual property, 
telecommunications, competition, and internet laws as he explicates their 
implications and proposes reforms. But like an artist sweeping away an intricate 
mandala after he has completed it, Noto La Diega boldly recognizes the limits 
of law and proposes a utopian horizon for IOT governance based on a deep 
engagement with studies in political economy and social theory. This book not 
only advances our understanding of IOT policy but also serves as a model for 
future work in the law and political economy of technology policy.’ 
Professor Frank Pasquale, Brooklyn Law School, 
author of the bestseller The Black Box Society 


‘Internet of Things and the Law: Legal Strategies for Consumer-Centric Smart 
Technologies is a thorough exposition of the regulation of the Internet of Things 
which starts by expertly defining ‘the Things’ and the regulatory puzzles around 
them. Keeping the consumer front and centre, the book engages with a broad 
range of issues starting with ‘Netflix Law, GeoBlocking and the personal/non- 
personal data binary. A strong case is made for a non-binary approach to regulation 
and for legal approaches, including contract law, consumer law, privacy law 
and intellectual property law, that mitigate the imbalances and vulnerabilities 
consumers are exposed to. Ultimately, Nota La Diega argues that the Commons 
for a Collectivised and Open IoT will take society beyond the limitations of these 
legal approaches. This is a timely and brilliant addition to scholarship that should 
inform forward-thinking regulatory approaches.’ 
Professor Caroline B Ncube, Professor and SARChI 
Research Chair in Intellectual Property, Innovation 
and Development, University of Cape Town 


‘A wonderfully informative and deeply reflective study of the Internet of Things 
from a socio-legal perspective, presented to us by one of the leading experts in the 
field. Dr Guido Noto La Diega convincingly argues for an open IoT and points 


to some hopeful signs. The book should be read especially by those interested in 
how European law might effectively regulate an Internet dominated by ‘Things’ 
and how people acting collectively can harness their power to reshape the future.’ 
Professor Megan Richardson, Professor of Law, 
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Internet of Things and the Law 


Internet of Things and the Law: Legal Strategies for Consumer-Centric Smart 
Technologies is the most comprehensive and up-to-date analysis of the legal 
issues in the Internet of Things (IoT). For decades, the decreasing importance of 
tangible wealth and power — and the increasing significance of their disembodied 
counterparts — has been the subject of much legal research. For some time now, legal 
scholars have grappled with how laws drafted for tangible property and predigital 
‘offline’ technologies can cope with dematerialisation, digitalisation, and the internet. 
As dematerialisation continues, this book aims to illuminate the opposite movement: 
rematerialisation, namely, the return of data, knowledge, and power within a physical 
‘smart’ world. This development frames the book’s central question: can the law steer 
rematerialisation in a human-centric and socially just direction? To answer it, the book 
focuses on the IoT, the sociotechnological phenomenon that is primarily responsible 
for this shift. After a thorough analysis of how existing laws can be interpreted to 
empower IoT end users, Noto La Diega leaves us with the fundamental question of 
what happens when the law fails us and concludes with a call for collective resistance 
against ‘smart’ capitalism. 
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Introduction 


[T]he establishment of the political state and the dissolution of civil society into 
independent individuals — whose relations with one another depend on law . . . is 
accomplished by one and the same act. 

Marx, On the Jewish Question 


For decades, the decreasing importance of tangible wealth and power — and the 
increasing significance of their intangible counterparts — has been the subject 
of much legal analysis.'! This evolution predates the digital economy (bonds, 
shares, etc.), but it is in the context of the current pervasive digitalisation that 
intellectual property (IP) has risen to the role of a prevalent form of wealth, 
which — combined with contractual and technological measures — allows for the 
control of key immaterial resources, such as software, algorithms, and even data 
itself. For some time now, legal scholars have grappled with how laws drafted 
for tangible property and predigital ‘offline’ technologies cope with demate- 
rialisation, digitalisation, and the internet.* This debate is far from reaching a 
definitive conclusion, as the frenzy surrounding non-fungible tokens (NFTs) is 
showing.’ 


= 


See e.g. Alexander Peukert, Güterzuordnung als Rechtsprinzip (Mohr Siebeck 2008); Jan Jacob, 
Ausschlieflichkeitsrechte an immateriellen Gütern: eine kantische Rechtfertigung des Urheber- 
rechts (Mohr Siebeck 2010). More modestly, this was also the subject of Guido Noto La Diega, ‘Il 
paradigma proprietario e l’appropriazione dell’immateriale’ (PhD thesis, Universita degli Studi di 
Palermo 2014). 

2 See M Scott Boone, ‘Ubiquitous Computing, Virtual Worlds, and the Displacement of Property 
Rights’ (2008) 4 ISJLP 91. On the challenges of cloud computing to right to property see Guido Noto 
La Diega, ‘Il Cloud Computing. Alla Ricerca Del Diritto Perduto Nel Web 3.0’ (2014) 2 Europa e 
diritto privato 577. More broadly on issues of ‘new’ property without control see Aaron Perzanowski 
and Jason M Schultz, The End of Ownership: Personal Property in the Digital Economy (The MIT 
Press 2016). The crucial issue of how traditional principles about jurisdiction apply online see Julia 
Hornle, Internet Jurisdiction: Law and Practice (OUP 2021). 

Joshua Fairfield, “Tokenized: The Law of Non-Fungible Tokens and Unique Digital Property’ 
(2022) 97(4) Indiana Law Journal 1261; Ifeanyi E Okonkwo, ‘NFT, Copyright; and Intellectual 
Property Commercialisation’ (2021) 29(4) IJLIT 296. 
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As the dematerialisation continues, this book aims to illuminate the opposite 
development: rematerialisation,4 namely, the return of data, knowledge, and 
intangible power — that we tend to conceive as disembodied and displaced in 
cyberspace — to the physical world. This move begs the question whether the law 
steers rematerialisation in a human-centric and socially just direction. To answer 
it, I will focus on the sociotechnological phenomenon that is primarily responsible 
for this shift: the Internet of Things (IoT).° 

With smart devices (in this book referred to as ‘Things’) outnumbering human 
beings and with European spending in smart technologies exceeding EUR200 bil- 
lion in 2021,° the IoT is now past the hype. This sociotechnological reality prom- 
ises to considerably improve our lives through a network of sensors and actuators 
deployed in the most disparate sectors, from healthcare through agriculture to 
transport and entertainment. In an IoT world, every Thing is connected to the 
internet, communicates automatically with other Things, transforms every aspect 
of our lives into computable information, and uses this information to act on the 
physical reality and produce often unforeseeable changes in the ‘real’ world. Some 
incidents attracted some publicity, e.g. hackers screaming at children through 
unsecured baby monitors,’ killer connected cars,’ and the transformation of hun- 
dreds of Things into remotely controlled bots to bring down a domain registration 


4 See Jennifer Gabrys, ‘Re-Thingifying the Internet of Things’ in Nicole Starosielski and Janet Walker 
(eds), Sustainable Media: Critical Approaches to Media and Environment (Routledge 2016) 180; 
Henriikka Vartiainen and others, ‘Rematerialization of the Virtual and Its Challenges for Design and 
Technology Education’ (2020) 27 Techne Serien — Forskning i sléjdpedagogik och sléjdvetenskap 
52. 
The renewed centrality of tangibles goes beyond the IoT, see e.g. 3D printing, but with the IoT it 
acquires an unparalleled scale. Climate change and sustainability considerations are also leading 
to a new awareness of the materiality of assets that would otherwise be regarded as intangible, see 
e.g. the energy consumptions concerns associated to the blockchain. See Jon Truby, ‘Decarbonizing 
Bitcoin: Law and Policy Choices for Reducing the Energy Consumption of Blockchain Technolo- 
gies and Digital Currencies’ (2018) 44 Energy Research & Social Science 399; Dinusha Kishani 
Mendis, Mark A Lemley and Matthew Rimmer (eds), 3D Printing and beyond: Intellectual Property 
and Regulation (Edward Elgar Publishing 2019). 
6 ‘Worldwide Internet of Things Spending Guide’ (IDC, 9 June 2021) <www.ide.com/tracker/show- 
productinfo.jsp?containerld=IDC_P29475>. 
7 Department for Digital, Culture, Media & Sport, Code of Practice for Consumer IoT Security (UK 
Gov 2018) <www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security/code- 
of-practice-for-consumer-iot-security>. 
The first death occurred in Florida in May 2016, when a Tesla Model S’s autopilot sensors mistook 
a white tractor-trailer crossing the highway for the sky, thus killing its ‘driver.’ In March 2018, a 
Volvo car that Uber had been using to test its self-driving technology killed a cyclist in Arizona as its 
operator was distracted watching The Voice. The operator was charged in September 2020, whereas 
surprisingly prosecutors decided that there was no basis for criminal liability for the corporation, 
despite the vehicle’s automatic systems’ failure to identify the victim and her bicycle as an imminent 
collision danger due to sensor and software issues (National Transportation Safety Board, ‘Prelimi- 
nary Report Released for Crash Involving Pedestrian, Uber Technologies, Inc., Test Vehicle’ (NTSB, 
24 May 2018) <www.ntsb.gov/news/press-releases/Pages/NR20180524.aspx>). In August 2019, a 
Tesla car in autopilot killed a fifteen-year-old in California. More recently, in April 2021, a Tesla 
car killed its own passengers in Texas. Cf Antonio Davola, ‘A Model for Tort Liability in a World 
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service provider.’ One can only imagine what would happen if malicious players 
exploited the ‘smartness’ of Things to remotely control a petrol station, a pace- 
maker, or an army of drones. The higher the degree of a Thing’s autonomy, the 
higher the risks. For example, in March 2021 the UN Security Council revealed 
that for the first time a lethal autonomous weapon system had attacked a human 
target without being told to.!° Alongside security and privacy, the IoT poses a 
threat to other fundamental values, from self-determination through dignity to 
freedom of expression and equality. 

While there is growing interest for the IoT,!! existing analyses tend to focus on 
individual issues — mainly privacy,!? cybersecurity,'? and competition law.'* More 
comprehensive studies are US-centric,'> targeted at practitioners,'® or no longer 
current, considering the speed of technological evolution and legal change.!” 
Some contributions have also explored the IoT alongside artificial intelligence 
(AD and other technologies of the ‘Fourth Industrial Revolution.’!'® Against this 


of Driverless Cars: Establishing a Framework for the Upcoming Technology’ (2018) 54 Idaho Law 

Review 591. 

‘The State of DDoS Weapons’ (4/0, 2020) <www.al Onetworks.com/resources/reports/state-ddos- 

weapons/>. 

10 UN Security Council, ‘Letter Dated 8 March 2021 from the Panel of Experts on Libya Estab- 
lished Pursuant to Resolution 1973 (2011) Addressed to the President of the Security Council’ 
(S/202 1/229). 

11 In terms of nonlegal literature, key references are Jeremy Rifkin, The Zero Marginal Cost Soci- 
ety: The Internet of Things, the Collaborative Commons, and the Eclipse of Capitalism (Palgrave 
Macmillan 2015); Philip N Howard, Pax Technica: How the Internet of Things May Set Us Free 
or Lock Us Up (YUP 2015); Bruce Schneier, Click Here to Kill Everybody (Norton 2018). 

12 See e.g. Rolf H Weber, ‘Internet of Things — New Security and Privacy Challenges’ (2010) 26 
Computer Law & Security Review 23; Aurelia Tamo-Larrieux, Designing for Privacy and Its 
Legal Framework: Data Protection by Design and Default for the Internet of Things (Springer 
2018); Jatinder Singh and others, ‘Accountability in the IoT: Systems, Law, and Ways Forward’ 
(2018) 51 Computer 54; Nora Ni Loideain, ‘A Port in the Data-Sharing Storm: The GDPR and the 
Internet of Things’ (2019) 4 Journal of Cyber Policy 178. 

13 See e.g. J Singh and others, ‘Twenty Security Considerations for Cloud-Supported Internet of 
Things’ (2016) 3 IEEE Internet of Things Journal 269; David Lindsay and Evana Wright, ‘Regulat- 
ing Security for the Consumer Internet of Things (IoT)’ (2020) 3 REDC 541. 

14 See e.g. Marco Ricolfi, ‘IoT and the Ages of Antitrust’ (Nexa Center for Internet & Society 2017) 
Working paper nr 4/2017; Rupprecht Podszun, ‘Standard Essential Patents and Antitrust Law in 
the Age of Standardisation and the Internet of Things: Shifting Paradigms’ (2019) 50 HC 720. 

15 Joshua AT Fairfield, Owned: Property, Privacy, and the New Digital Serfdom (CUP 2017); Brett M 
Frischmann and Evan Selinger, Re-Engineering Humanity (CUP 2018); Shoshana Zuboff, The Age 
of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (Publi- 
cAffairs 2019); Cynthia H Cwik and others (eds), The Internet of Things: Legal Issues, Policy, and 
Practical Strategies (ABA 2019). 

16 Cwik and others (n 15); Thaddeus Hoffmeister, Internet of Things and the Law (Practising Law 
Institute 2020). 

17 Rolf H Weber and Romana Weber, Internet of Things. Legal Perspectives (Springer Berlin Heidel- 
berg 2010). 

18 Mireille Hildebrandt, Smart Technologies and the End(s) of Law: Novel Entanglements of Law and 
Technology (Elgar 2015); Frischmann and Selinger (n 15); Eduardo Magrani, Laws and Ethics of 
Internet of Things and Artificial Intelligence (Lambert 2019); Sebastian Lohsse, Reiner Schulze 
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backdrop, Internet of Things and the Law differs to existing works as it is an 
updated comprehensive reflection on the IoT from a European sociolegal perspec- 
tive and targeted at academics and law students. While this is first and foremost 
a research monograph, I believe that it can be of use to students as well. Indeed, 
nowadays it has become impossible to understand internet governance and infor- 
mation technology law without a thorough comprehension of the IoT. First, the 
IoT is a rapidly expanding area of the web, as suggested inter alia by the fact that 
IoT patents grow nearly seven times faster than other technologies.!? Second, in 
recent years a deluge of laws (including standards and soft laws) has been intro- 
duced to regulate the IoT, directly or indirectly: these range from the Regulation 
on the Free Flow of Non-Personal Data to the UK’s Code of Practice for Con- 
sumer IoT Security. Therefore, ignoring these laws would provide only a partial 
understanding of how the internet is governed. 

This book builds on those contributions that have regarded the new extrac- 
tive practices of the IoT as illustrative of the current stage of development of 
capitalism. Most famously, Shoshana Zuboff in her Surveillance Capitalism shed 
light on a new form of power generated by big data, an unprecedented threat to 
democratic values as it exiles persons from their own behaviour by creating new 
markets of behavioural prediction and modification.” Zuboff creates a parallel 
with the industrial capitalism studied by Marx, but she posits that whereas the old 
capitalism fed on labour, IoT-powered capitalism ‘feeds on every aspect of every 
human’s experience.’”! In fact, there is uninterrupted continuity between the old 
and the new capitalism, and the point of the IoT is to appropriate the previously 
uncapturable, thus transforming every aspect of human experience into labour. 
Indeed, it is now accepted that data is the main commodity, and we, as IoT users, 
can be regarded as data producers. By appropriating this commodity and control- 
ling the means of production, surveillance capitalists treat us as industrial capital- 
ists treat their workers — except now we are no longer aware of being workers. 

IoT power, and the way big tech uses it, cannot be comprehended without look- 
ing also at those subjected to it. Humans use Things and are increasingly used — 
and transformed — by Things. This is where another major recent contribution to 
contemporary scholarship, Re-engineering Humanity by Brett Frischmann and 
Evan Selinger, steps is. The authors focus on how these companies use new tech- 
nologies, including the IoT — rebranded ‘smart techno-social environment’ — to 
change those subjected to power: us. The IoT risks erasing the ‘freedom to be 
off, to be free from systemic, environmentally architected human engineering.’” 
Building on this analysis, it is vital to understand how to de-engineer humanity. 


and Dirk Staudenmayer (eds), Liability for Artificial Intelligence and the Internet of Things: Miin- 
ster Colloquia on EU Law and the Digital Economy IV (Hart 2019). 

19 Intellectual Property Office, ‘Eight Great Technologies. The Internet of Things. A Patent Over- 
view’ (2014) UKIPO 6. 

20 Zuboff (n 15) 8. 

21 ibid 16. 

22 Frischmann and Selinger (n 15) 124. 
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To this end, alongside understanding power and its subjects, one needs to closely 
scrutinise how the law mediates the relationship. In this sense, an unavoidable 
reference is to the germinal book Between Truth and Power by Julie E. Cohen, 
who focuses on how the law is changing in the networked information age. Law 
is closely intertwined with code (or design) and political economy: ‘through their 
capacities to authorize, channel, and modulate information flows and behav- 
iour patterns, code and law mediate between truth and power.’ This approach 
builds on a tradition that goes back to Lawrence Lessig’s Code,” which famously 
regarded code — the binary code that shapes the internet — as a new form of regula- 
tion. More recently, Roger Brownsword and Karen Yeung observed that we need 
to reimagine legal rules as one element of a larger regulatory environment of 
which technological management is also part.” While building on these three 
streams of literature, this book further advances knowledge by understanding 
power, humans, law, and technology as inextricably connected and each capable 
of affecting and being affected by the others. 

The impact of the IoT on the law is not limited to the rethinking of the con- 
cept of law to include techno-regulation. The IoT disrupts many of the dichoto- 
mies upon which the law was built, most notably good-service, hardware-software, 
tangible-intangible, consumer-trader, consumer-worker, human-machine, security- 
cybersecurity, online-offline. As noted by Mireille Hildebrandt, smart environ- 
ments engender novel types of regulation, which usher in the ‘onlife’ world: the 
IoT is not simply a technological infrastructure; it is ‘a transformative life world, 
situated beyond the increasingly artificial distinction between online and offline.” 
The IoT’s smartness means that Things will be executing their own programs and 
negotiating with each other to achieve their own goals. This makes it imperative to 
‘address [smart] environments or their constitutive elements as agents that we need to 
hold responsible for the harm they cause, for their lack of fairness.’ More gener- 
ally, the fact that the IoT is troubling the binary categories that underpin the law calls 
for a rigorous legal analysis to critically assess whether the law can be ‘queered’. 
By ‘queering’ the law, I mean the overcoming of the the aforementioned binaries 
through interpretation, legal design, or law reform. A queer approach requires also 
that the power dynamics hidden behind the ‘smart’ world be brought to life, which 
in turn means asking oneself whether traditional legal changes adequately curb the 
power of IoT capitalists or a more radical upheaval would be desirable. 

Rematerialisation, the internal dynamics within the power-humans-law triad, 
the regulatory function of IoT code, and the tension between a non-binary 


23 Julie E Cohen, Between Truth and Power: The Legal Constructions of Informational Capitalism 
(OUP 2019) 13. 

24 Lawrence Lessig, Code (Version 2.0, Basic Books 2006). 

25 Roger Brownsword and Karen Yeung (eds), Regulating Technologies: Legal Futures, Regulatory 
Frames and Technological Fixes (Hart 2008); Roger Brownsword, Law, Technology and Society: 
Re-Imagining the Regulatory Environment (Routledge 2019); Karen Yeung and Martin Lodge 
(eds), Algorithmic Regulation (OUP 2019). 

26 Hildebrandt (n 18) 8. 

27 ibid 27. 
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sociotechnological phenomenon and dichotomic regulatory mechanisms are only 
some of the reasons that made me embark on this writing journey. A final, cru- 
cial factor played a role. Internet studies have long explored the challenges and 
opportunities of the collection and use of information. The EU General Data Pro- 
tection Regulation (GDPR} and prominent surveillance scandals have led to an 
abundance of research on data management, data science, and data ethics. These 
laudable endeavours have mostly focused on ‘incoming data,’ namely, on the 
transformation of real-world information into strings of code. However, to study 
the IoT means to account not only for how machines sense the world but also for 
how they act on it. As will be seen in the next chapter, being equipped with actua- 
tors is a core feature of Things. An example is provided by the automated border 
control systems that decide whether to open the door based on the matching of 
the passport’s biometric data and facial recognition data. More trivial illustrations 
include a turning on of the lights based on location data, or a smart sprinkler 
watering the plants based on weather data. Zooming out, one starts to see how 
this constant two-directional flow — real world being transformed into computable 
information, information being used to change the real world — shows how the IoT 
is, at once, a global network of surveillance and a global infrastructure for the col- 
lective organisation of IoT users-cum-data producers-cum-workers. With the IoT, 
the factory becomes distributed and every aspect of one’s life is commodified and 
rendered reprogrammable. Similar to industrial capitalists collectively organising 
labour in the factory, IoT big tech extracts value from our data by organising our 
digital labour at a systemic level. 

This leads to the explanation of why I have adopted a methodology that can 
be loosely regarded as Marxist. At a higher level, as technological artefacts have 
politics?” — the most popular Things’ politics being clearly neoliberal — and given 
that the IoT has been convincingly framed as the epitome of the current stage 
of capitalism,” it makes only sense to adopt a Marxist lens. Indeed, Marxism 
remains the most compelling and comprehensive critical approach to capitalism, 
and Marx was the first to argue that technology is the primary influence on human 
social relations and organisational structure.*! I would also put forward that a 
Marxist legal research method demands a sociolegal ‘law in action’ approach. 
As Roscoe Pound put it, lawyers need not to regard the law as ‘the beginning of 
wisdom and the eternal jural order;’*? rather, we should ‘look the facts of human 
conduct in the face (and) cease to assume that jurisprudence is self-sufficient.’*? 
While Pound was mainly preoccupied with the relationship between common 
law and legislation, ‘law in action’ is nowadays construed as a nonnormative 


28 Regulation 2016/679 on the protection of natural persons with regard to the processing of personal 
data and on the free movement of such data [2016] OJ L 119/1. 

29 Langdon Winner, ‘Do Artifacts Have Politics?’ (1980) 109 Daedalus 121. 

30 Cohen (n 23). 

31 Fora nuanced analysis of technological determinism and Marxism, see Bruce Bimber, ‘Karl Marx 
and the Three Faces of Technological Determinism’ (1990) 20 Social Studies of Science 333. 

32 Roscoe Pound, ‘Law in Books and Law in Action’ (1910) 44 Am L Rev 12, 35. 

33 ibid 35-36. 
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understanding of the many forms the law can take and operate in the real world. 
This is in line with the Marxist refusal of ‘legal fetishism,’ a common attitude 
whereby the law is depicted as a ‘unique phenomenon which constitutes a discrete 
focus of study.’*+ The view that the law is only ‘one aspect of a variety of political 
and social arrangements concerned with the manipulation of power and the con- 
solidation of modes of production of wealth’*> for me is no reason not to study the 
nature of legal phenomena. Rather, it is an incentive to reflect on how power and 
socio-economic factors shape the law and how the latter governs — or, one may 
say, is governed by — emerging technologies, which in turn have become person- 
alised regulatory tools in the hands of private rule-makers: the ‘smart’ platforms. 
To understand this new law in action, I have adopted a multipronged methodol- 
ogy, including semistructured interviews, subject access requests, text analysis of 
contracts, and autoethnography, as elucidated at the beginning of each chapter. 

My approach can also be defined loosely as Marxist as it reconciles the his- 
torical materialist tenet that human behaviour is conditioned by external factors 
(mainly socio-economic ones) with the acknowledgement of the importance of 
conscious action in the transformation of societies. As the epigraph shows, the 
law had a crucial role in creating the state while dissolving — and depoliticising — 
civil society.*° While the law imposed by the dominant classes is one of the fac- 
tors that condition human behaviour, this does not mean that there is no room for 
organised action. In shedding light on how the IoT threatens humanity, and on the 
limitations of the law in dealing with it, this book intends to raise awareness — to 
heighten class consciousness, one would say in Marxist terms — about the risks 
of technologically driven capitalism, with the ultimate goal of a call to action to 
refute techno-legal solutionism and transform the IoT into an open and collective 
vision for a more just society. 

With this in mind, I will endeavour to answer the following overarching ques- 
tion: how does the law mediate the power dynamics between IoT big tech and the 
end users, and can the law steer the development of the IoT in a human-centric 
and socially just direction? 
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Obstacles and Alternatives in 
the Regulation of a Non-Binary 
Sociotechnological Phenomenon 


In the medieval guilds the master was prevented from becoming a capitalist by the 
guild regulations. 
Marx, Economic Manuscript of 1861—63 


1.1 Introduction 


The IoT promises to improve our lives and realise the vision of a fully intercon- 
nected world, where we are constantly online, with easy access to a vast range 
of digital services and unprecedented new opportunities in every sector, from 
defence to healthcare. However, the IoT raises a number of issues that existing 
laws do not properly address for a number of reasons, most notably the reliance 
on outdated dichotomies (e.g. good-service) and principles (e.g. copyright’s terri- 
toriality). These issues would require better and IoT-aware regulations to address 
questions of utmost importance, ranging from the problem of covert, ubiquitous 
surveillance to the liability for the harms produced by the unintended and auto- 
mated interactions within and between IoT systems. 

When I started writing this book, I was reading Marx’s Economic Manuscript 
1861—63,! from which the epigraph of this chapter is taken. The manuscript plays 
a ‘very important’? role in the development of Marx’s critique of political econ- 
omy, a process that starts with the London Notebooks of 1850-53? and ends with 
the Capital.4 Entitled by Marx Zur Kritik der Politischen Ökonomie (A Contribu- 
tion to the Critique of Political Economy) and consisting of 23 notebooks, the 


> 


= 


Karl Marx, ‘Economic Manuscript of 1861—63. A Contribution to the Critique of Political Economy 
in Karl Marx and Friedrich Engels (eds), Collected Works, vol 30 (Progress 1988). 

2 Alex Callinicos, ‘Marx’s Unfinished But Magnificent Critique of Political Economy’ (2018) 82 
Science & Technology 139, 140. 

These remain unpublished, but they are included in the Marx-Engels-Gesamtausgabe (MEGA) proj- 
ect and are set to be published in MEGA IV/7-11 according to Lucia Pradella, Globalisation and the 
Critique of Political Economy: New Insights from Marx's Writings (Routledge 2015) 6. 

4 In this book, I will mainly refer to the Italian translation of Capital and in particular to Karl Marx, 
Il Capitale (1867), vol 1 (Bruno Maffi tr, Aurelio Macchioro and Bruno Maffi, UTET 2008); Karl 
Marx, Il Capitale (1885), vol 2 (Bruno Maffi ed, UTET 2009); Karl Marx, Il capitale (1894), vol 3 
(Bruno Maffi tr, Bruno Maffi, UTET 2009). 
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‘path-breaking’> manuscript can be regarded as the first systematic draft of all 
four volumes of Capital.° I was drawn to it for two reasons. First, the idea that 
the existence of regulations prevented feudal masters from becoming capitalists. 
If one compares it to the current regulation of the IoT, its piecemeal, outdated, 
and often unenforceable character reduces the ability to rein in IoT capitalism. 
Second, one of the key features of the 1861—63 Manuscript is Marx’s interest in 
the role of technology in the passage from manufacture to ‘mechanical workshop’ 
or industrial factory.’ The difference between these stages lies in the technological 
revolution that, thanks to the passage from ‘tool’ to ‘machine,’ enabled the capi- 
talist mode of production. The difference is pithily explained by Marx himself: 


[O]nce the tool is itself driven by a mechanism, once the tool of the worker, 
his implement, of which the efficiency depends on his own skill, and which 
needs his labour as an intermediary in the working process, is converted into 
the tool of a mechanism, the machine has replaced the tool.® 


The replacement of humans with machines in the handling of the tools is ‘the 
material essence of the revolution of “mode of production.’””® The all-consuming 
labourer-machine relationship isolates the former, who confronts ‘capital as 
an isolated individual, standing outside the social connection with his fellow 
workers;’!® the labourer confronts a thing, rather than the person of the capital- 
ist. The machine is the labourer’s ‘aggregate body, which exists outside him... 
Human beings are merely the living accessories . . . of the unconscious but uni- 
formly operating machinery.’'' Under smart capitalism, this isolation and pas- 
sivity of workers is worsened by the fact that the machine is no longer only 
the external body of the labourer when working in the factory: the machine is 
all around us, in our smart cities; reaches our most private spaces, in the smart 
home; and enters our own body under the guise of smart health. In a society 
where data is the most sought-after commodity, IoT users become round-the- 
clock workers as they produce big data, thus generating value, whether they are 
aware of it or not. 

Against this backdrop, this chapter will critically evaluate whether existing reg- 
ulations do enough to protect us from the extractive practices of the IoT, whether 
they can rebalance our relationship vis-a-vis these ubiquitous ‘smart’ machines, 
whether they can prevent hyperconnectivity from making us feel like disconnected 


wn 


Enrique Dussel, Towards an Unknown Marx: A Commentary on the Manuscripts of 1861—63 
(Yolanda Angulo tr, Routledge 2001) 2. 
6 Institute of Marxism-Leninism, ‘Economic Manuscripts: Theories of Surplus-Value. Preface’ 
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8 Marx, ‘Economic Manuscript of 1861—63. A Contribution to the Critique of Political Economy’ 
(n 1) 423. Italics added. 
9 Dussel (n 5) 170. 
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machines. In doing so, it will tackle the book’s overarching research question by 
answering the following subquestion: what are the hurdles in the regulation of the 
IoT, and how is the EU rising to the challenge? 


PART 1 — IOT DEFINITION AND REGULATORY DIFFICULTIES 


1.2 The IoT Today: Related Concepts, Definitions, 
and Core Features 


The core idea that underpins the ‘Internet of Things’ can be traced back to 1926, 
when Nikola Tesla imagined that devices simpler and more mobile than the tra- 
ditional telephone would convert the Earth into a brain. One needs to wait until 
the seventies for the first ‘Thing’ to be developed. It was a Coke vending machine 
at the Carnegie Mellon Computer Science Department, and its microswitches 
enabled users to remotely double-check whether the machine was empty or full.!? 
Flash forward thirty years, Kevin Ashton coined the phrase ‘Internet of Things’ 
in a 1999 presentation for Procter & Gamble, where he linked the use of radio 
frequency identification (RFID) in that company’s supply chain and the internet 
as anew, more reliable way for computers to collect data about the physical world 
with little, if any, human involvement.” 

Despite a not-so-recent history, there is no single commonly accepted defini- 
tion of the IoT.'* For the purpose of this book, and building on the Microsoft 
Cloud Computing Research Centre’s approach!‘ to the IoT, a ‘Thing’ is: 


An inextricable mixture of hardware, software, service, digital content, and 
data with (inter)connectivity, sensing, and actuating capabilities and inter- 
facing the physical world. 


Although the IoT is an ever-changing and contested concept, this definition 
encompasses the main features that lawyers and regulators need to keep in mind: 


a) Physicality. Whilst for decades innovation has been software-driven, with the 
IoT there is a return to the physical objects, now enhanced with computational 


12 Jay Patel, ‘The Timeline of Things’ (2015) 22 XRDS: Crossroads, The ACM Magazine for Stu- 
dents 13). Others claim that the first Thing was a 1991 camera-equipped coffee pot at the Trojan 
Lab at Cambridge University (Paul Ford, ‘It’s All Connected’ [2013] United Hemispheres, as cited 
by Keith Marzullo, in Federal Trade Commission, ‘Internet of Things: Privacy and Security in a 
Connected World’ (2015) 15-16). 

13 Kevin Ashton, ‘That “Internet of Things” Thing’ (2009) 22 RFID Journal 97. 

14 Hugh Boyes and others, ‘The Industrial Internet of Things (IoT): An Analysis Framework’ (2018) 
101 Computers in Industry 1; Theo Lynn and others, ‘The Internet of Things: Definitions, Key 
Concepts, and Reference Architectures’ in Theo Lynn and others (eds), The Cloud-to-Thing Con- 
tinuum: Opportunities and Challenges in Cloud, Fog and Edge Computing (Palgrave Macmillan 
2020) 1. 

15 Noto La Diega and Walden (n 24). 


12 ToT Law 


b) 
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power, connectivity, and sensing/actuating capabilities. If one overlooks the 
physical element, there is the risk of ignoring the issues that are specific to 
the IoT, which is increasingly enabled by — but should be kept distinct from — 
cloud computing, edge computing, AI, big data, and more recently, block- 
chain technologies. 

(Inter)connectivity. As the name IoT suggests, Things are connected to the 
internet, usually wirelessly.'° This raises a number of issues exemplified by 
the hacker who threatened to kidnap a child using a ‘smart’ baby monitor and 
a Nest camera.!” Interconnectivity also means that for the full realisation of 
the IoT’s potential, it is pivotal that Things communicate with other Things 
and with humans. This raises questions of interoperability, as well as liability, 
when an IoT system reconfigures and a harm is produced as a consequence 
of the unforeseen interaction between the Things (so-called ‘repurposing’). 
For example, there are clear tensions between IoT’s repurposing, the GDPR’s 
principle of purpose limitation,'® and the concept of foreseeability in tort 
law. !° 

Equipment with sensors and actuators.” Sensors play a crucial role in 
enabling the acquisition of data from the real world and transforming it into 
actions. Their importance is evidenced by the fact that over half of ISO’s stan- 
dards on the IoT are dedicated to sensor networks.*! Actuators are as impor- 
tant because they make the Things act based on the information received by 
the sensors. Actions can be fully automated (e.g., lights switching on if move- 
ment is detected) or may require some human intervention (e.g., a wireless 
sensor network detects a problem in a factory and humans fix it). However, 
current IoT systems are still ‘mostly unprepared for handling human actua- 
tion as an inherent component of the system.’”? Therefore, it is likely that 


Gil Reiter, ‘Wireless Connectivity for the Internet of Things’ (2014) 433 Europe 868MHz. 

“Tm in Your Baby’s Room”: A Hacker Took Over a Baby Monitor and Broadcast Threats, Parents 
Say’ (Washington Post, 20 December 2018) <www.washingtonpost.com/technology/2018/12/20/ 
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Personal data has to be ‘collected for specified, explicit and legitimate purposes and not further 
processed in a manner that is incompatible with those purposes’ (GDPR, art 5(1)(b)). One could 
argue that IoT’s repurposing means that a larger range of purposes becomes compatible with the 
original purposes. 

For example, in English law there are three elements in the tort of negligence: duty of care, breach 
of the duty, and damages. The reasonable foreseeability of harm is a key component of the duty of 
care as per Caparo Industries Plc v Dickman [1990] 2 AC 605. The argument could be put forward 
that if the manufacturer of a Thing could not reasonably foresee that an interaction with third-party 
Things would lead to damage, then there would be no duty of care and no negligence. However, it 
could also be argued that the IoT — because of its repurposing potential — by its nature widens the 
scope of what can be reasonably foreseen. 

ISO and IEC (n 18) 42. 
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liability issues will arise from the interaction between non-human actuators 
and human ones. 

Things as an inextricable mixture of hardware, software, service, digital con- 
tent, and data. Existing legal regimes are predicated on the software-hardware, 
goods-services, and online-offline dichotomies.” Four examples will suffice. 
First, the rules on liability for defective products were tailored for traditional 
hardware products and may need tweaking?” to accommodate defects related 
to software, service, or data.? Second, the exclusion from patentability of 
computer programs ‘as such’ relied on a clear distinction between hardware 
and software, in principle patentable and nonpatentable, respectively. There- 
fore, with the blurring of the distinction produced by the IoT, the exclusion 
risks have become meaningless.” Third, international trade law is organised 
around the goods-services dichotomy, and current rules, drafted in the nine- 
ties, are not entirely fit for a ‘world of talking teapots and connected cars.’?” 
Increasingly, governments take measures against IoT manufacturers that are 
based not only on the hardware but also on the digital features of the prod- 
ucts.*® If Things are regarded as goods, the relevant controversies will fall 
under the General Agreement on Tariffs and Trade?” and under the Agreement 
on Technical Barriers to Trade.*° Conversely, if Things are services, the Gen- 
eral Agreement on Trade in Services?! will govern the litigation.*? Finally, the 
online-offline dichotomy provided a justification for the digital libertarian 


There are recent exceptions. Under the Consumer Rights Act, section 16, goods do not conform to 
the contract if ‘the goods are an item that includes digital content’ and the digital content does not 
conform to the contract. For an analysis of this regime, see Siobhan McConnell, ‘Product Quality 
and the Internet of Things: Are the New EU Laws “Smart” Enough?’ [2020] SI REDC. 

In Noto La Diega and Walden (n 24), we argued that current product liability rules are flexible 
enough to deal with IoT defects. While I confirm that view, amendments that expressly addressed 
IoT defects would increase legal certainty. 

The European Commission has set up a group of experts entrusted with the task of reviewing 
Council Directive 85/374/EEC of 25 July 1985 on the approximation of the laws, regulations, and 
administrative provisions of the member states concerning liability for defective products (Product 
Liability Directive) [1985] OJ L 210/29. One of the main issues that are under consideration is how 
to amend the product liability rules for nonhardware defects. See European Commission, ‘Report 
from the Commission to the European Parliament, the Council and the European Economic and 
Social Committee on the Application of the Council Directive on the Approximation of the Laws, 
Regulations, and Administrative Provisions of the Member States Concerning Liability for Defec- 
tive Products (85/374/EEC)’ COM/2018/246 final. 

More on this in Guido Noto La Diega, ‘Software Patents and the Internet of Things in Europe, the 
United States and India’ (2017) 39 EIPR 173. 

Anupam Chander, ‘The Internet of Things: Both Goods and Services’ (2019) 18 World Trade 
Review 1. 

ibid 3. 

1867 U.N.T.S. 187 (GATT). 

1868 U.N.T.S. 120 (TBT). 

1869 U.N.T.S. 183 (GATS). 

While the IoT complicates the classifications at the heart of international trade law, the latter ‘may 
yet prove more adaptable than might have been expected’ (Chander (n 58) 14). 
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claim that the internet had to be immune from the regulation of the offline.’ 
This political option permeates the e-Commerce Directive,*4 which grants 
online intermediaries some immunities for the illegal activities carried out by 
their users (so-called safe harbours).*> As an increasing number of tradition- 
ally offline intermediaries are embracing the IoT, thus becoming at least in 
principle eligible for the safe harbours, the scope of platform immunity could 
become much wider than originally foreseen.*° 


A feature that may not refer to all Things but that can have important legal reper- 
cussions is that most Things are made of several components (they are composite 
or compound). Even limiting the analysis to the hardware in itself, the Things’ 
components have different manufacturers responsible for different aspects of any 
‘Thing of Things,’ such as a smartphone,*’ ‘a composite, multi-purpose Thing, 
with component Things embedded in it including its touchscreen, microphone, 
and other sensors.’** For example, should a plane equipped with 20,000 sensors 
be treated as a single Thing?” This creates huge issues of accountability, because 
it could be virtually impossible for a consumer to understand which component 
of the Thing caused harm and who is responsible for it. The manufacturer of the 
final Thing may try to use the composite and system-of-systems nature of the 
Thing to try to disclaim liability.“ As a practical example of the legal ramifica- 
tions of the Things’ composite nature, one can think of wireless modules and the 
difficulties of complying with the relevant EU laws once these modules are no 
longer implemented only in laptops and mobile phones, but in any ... Thing. 
Many manufactures of Things that embed third-party wireless modules which 
comply with the Radio Equipment Directive*! ‘assume that because these wire- 
less modules are compliant as an independent unit, no further action is required, 
but this may not be the case.’*” Indeed, the integration of a wireless module into 


33 Wanshu Cong, ‘Understanding Human Rights on the Internet: An Exercise of Translation?’ (2017) 
22 Tilburg Law Review 138. 

34 Directive 2000/31/EC on certain legal aspects of information society services, in particular elec- 
tronic commerce, in the Internal Market (“eCommerce Directive’) [2000] OJ L 178/1. 

35 eCommerce Directive, arts 12-14. 

36 It must be said, however, that the current trend is towards a narrowing of the safe harbours. See e.g. 
Giancarlo F Frosio, “The Death of “No Monitoring Obligations”: A Story of Untameable Monsters’ 
(2017) 8 JIPITEC <www.jipitec.eu/issues/jipitec-8-3-2017/4621>. 

37 Noto La Diega and Walden (n 24). 

38 W Kuan Hon, Christopher Millard and Jatinder Singh, ‘Twenty Legal Considerations for Clouds of 
Things’ [2016] Queen Mary University of London, School of Law Legal Studies Research Paper 
No 216/2016. 

39 Bernard Marr, ‘That’s Data Science: Airbus Puts 10,000 Sensors in Every Single Wing!’ (Data 
Science Central, 9 April 2015) <www.datasciencecentral.com/profiles/blogs/that-s-data-science- 
airbus-puts- 10-000-sensors-in-every-single>. 

40 On these issues, see Singh and others (n 40). 

41 Directive 2014/53/EU on the harmonisation of the laws of the member states relating to the making 
available on the market of radio equipment [2014] OJ L 153/62. 

42 Jean-Louis Evans, ‘IoT Must Learn to Operate in a World of Wireless Regulations’ [2015] Elec- 
tronics Weekly 14. 
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a Thing ‘changes the regulatory requirements,’ as the host product as a whole 
must comply with this directive and the relevant standards,“ especially in terms 
of health and safety and electromagnetic compatibility.*° 

Whereas to understand — and to regulate — the IoT it is important to agree on its 
core technical features, one should avoid exclusively technical conceptualisations.*° 
The IoT is a sociotechnological phenomenon for a twofold reason. First, in order to 
fully comprehend the IoT, one needs to focus on the interaction between the technol- 
ogy, human actors, and human processes.“ In this vein, the European Commission 
High-Level Expert Group on Artificial Intelligence’s Ethics Guidelines for Trust- 
worthy AS deal with ‘socio-technical systems’ and accordingly put forward that 
technological trustworthiness not only concerns the AI system itself ‘but requires a 
holistic and systemic approach, encompassing the trustworthiness of all actors and 
processes that are part of the system’s socio-technical context.’*? Second, especially 
now that the IoT is beyond the hype, it is clear that it is affecting society profoundly. 
This is related to its being an advanced form of technological management. Indeed, 
as noted by Brownsword,” societal behaviour is increasingly managed by techno- 
logical means. He underlined that technological management should not be allowed 
to run out of public control and called on tomorrow’s jurists to ‘rise to the challenge 
by helping their communities to grapple with the many questions raised by the accel- 
erating transition from law (especially from the primary rules of law) to technologi- 
cal management.’>! With this book, I aspire to rise to that challenge. 


1.3 Two Reasons That It Is Difficult to Regulate 


There are several reasons that the IoT can be seen as a phenomenon too complex 
to regulate.** The following subsections will focus on three of them that seem 
particularly important: 


(i) The impossibility to agree on one IoT taxonomy as a consequence of the 
many and diverse application domains and enabling technologies; 


43 ibid 14. 

44 Equipment which complies with the Harmonised Standards for this Directive is presumed to 
comply with the requirements of the Radio Equipment Directive. These are available at <https:// 
ec.europa.eu/growth/single-market/european-standards/harmonised-standards/red_en>. 

45 Radio Equipment Directive, art 3. 

46 A recent literature review of existing IoT definitions correctly pointed out that there are two main 
conceptualisations of the IoT: technical and sociotechnical. Lynn and others (n 14) 2. 

47 Donghee Shin, ‘A Socio-Technical Framework for Internet-of-Things Design: A Human-Centered 
Design for the Internet of Things’ (2014) 31 Telematics and Informatics 519. 

48 High-Level Expert Group on Artificial Intelligence, ‘Ethics Guidelines for Trustworthy AI’ (2019) 
European Commission. 

49 ibid 5. 

50 Roger Brownsword, Law, Technology and Society: Re-Imagining the Regulatory Environment 
(Routledge 2019). 

51 ibid 30. 

52 See Noto La Diega (n 12). 
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(ii) The intrinsically transnational character of Things, which are located in 
many places at the same time (e.g. if the company providing the service is 
not the same as the manufacturer) and are highly mobile, as they can be car- 
ried, worn, implanted, etc.; 

(iii) The ‘relational black box,’ i.e. the IoT’s complex supply chain and intricate 
ecosystem that lead Thing users to enter into several relationships with dif- 
ferent actors without necessarily being aware of it. 


These factors that render difficult to regulate the IoT will be explored in the next 
chapter in turn. 


1.3.1 A Kaleidoscope of Taxonomies: Sectoral Fragmentation 
and Enabling Technologies 


If the IoT were a homogenous phenomenon with clear boundaries, it would 
be relatively easy to regulate. However, the IoT is an amorphous mass that 
has applications in radically different domains, relies on a number of enabling 
technologies, pursues a diverse range of business objectives, and has sev- 
eral architectural requirements, platform types, and network topologies (Fig- 
ure 1.1). 

For the purposes of this book, it is sufficient to focus on the first two com- 
plexities, starting off with the ‘sectoral fragmentation,’ i.e. the heterogeneity 
in IoT application domains. The regulation of other technologies is a relatively 
easy task when it is clear what the main sectors or applications are, as is the 
case, for example, with FinTech.°? However, the IoT is used in manifold sectors, 
and each of them has different characteristics and raises different issues. The 
main IoT domains are transportation, e.g. driverless cars; domotics, popularly 
yet incorrectly dubbed ‘smart home’; healthcare, e.g. implantable and ingestible 
Things; energy, e.g. smart grids; city development, i.e. so-called ‘smart cities’; 
manufacturing, e.g. industrial robots; distribution, e.g. RFID tracking; retail, 
e.g. contactless payment systems; agriculture, e.g. irrigation systems; fitness, 
e.g. quantified-self Things; and leisure, e.g. augmented reality wearables.™4 
Accordingly, it has been noted that whereas the IoT is being and will be shaped 
by the success of communications policy and regulation, as well as information 
policies, ‘the IoT is likely to be applied in so many ways that policy and practice 


53 However, the blockchain is increasingly multipurposed. See Michèle Finck, Blockchain Regula- 
tion and Governance in Europe (CUP 2018). 

54 On some regulatory issues stemming from the IoT being a cross-technology and cross-appli- 
cation phenomenon, see H Song, GA Fink and S Jeschke, ‘Overview of Security and Privacy 
in Cyber-Physical Systems’ in Security and Privacy in Cyber-Physical Systems: Foundations, 
Principles, and Applications (IEEE 2017); Russ Banham, ‘IoT Complexity’ (2016) 63(6) Risk 
Management 38. 
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will be reconfigured across nearly every sector of government, business and 
industry.’* 

Whilst the deployment of Things in all these sectors can improve our lives,56 
it nonetheless raises several issues that are specific to each sector, albeit partly 
overlapping. For example, privacy and security are likely to be relevant across 
the board, but with different issues, depending on whether the Thing is inside 
our body or in a field of daffodils.*7 Moreover, these sectors fall under the remit 
of different regulators that usually operate without any form of coordination.*® 
To get a sense of the problem, one should observe the fragmented approaches of 
Ofcom, the UK’s communications regulator, in dealing with issues of spectrum;? 
Ofgem, the energy regulator, with smart meters;® the Centre for Connected and 
Autonomous Vehicles (UK Department for Transport) with self-driving cars;°! 
and the UK Civil Aviation Authority with drones.® This begs the question if a 
holistic regulation is at all possible or sectoral regulations are the way forward. 
The status quo seems to suggest that the latter is the only option, although it 
is highly unsatisfactory because the IoT sectors overlap and many Things can 
be deployed in several sectors (e.g. are robots to be regulated as manufacturing, 
domotics, healthcare, leisure?). At the end of this chapter, a third way to regulate 
the IoT — not properly holistic, not entirely sectoral — will be proposed. 

The fragmentation of the IoT does not depend only on the Things being designed 
for deployment in several sectors. Things can be made and/or provided for certain 
purposes but may end up serving other potentially unforeseen purposes. This is 
a consequence of what I call ‘repurposing,’® i.e. a critical characteristic of IoT 


55 Dutton (n 74) 4. 

56 1 Yaqoob and others, ‘Internet of Things Architecture: Recent Advances, Taxonomy, Requirements, 
and Open Challenges’ (2017) 24 IEEE Wireless Communications 10, 12. 

57 In the field of domotics, see Department for Digital, Culture, Media & Sport, Code of Prac- 
tice for Consumer IoT Security (UK Gov 2018) <www.gov.uk/government/publications/ 
code-of-practice-for-consumer-iot-security/code-of-practice-for-consumer-iot-security>. 

58 An exception is constituted by the Comitato permanente per i servizi di comunicazione Machine 
to Machine, which will be dealt with at the end of this chapter. 

59 IoT spectrum is available on a licence-exempt basis or through a Wireless Telegraphy Act licence. 
Ofcom, ‘VHF Radio Spectrum for the Internet of Things’ (2016). Unlicensed spectrum creates 
because it ‘requires efficient spectrum sharing among IoT devices and fair coexistence with 
other wireless networks’ (Ghaith Hattab and Danijela Cabric, ‘Unlicensed Spectrum Sharing for 
Massive Internet-of-Things Communications’ [2019] arXiv:1903.01504 [cs] <http://arxiv.org/ 
abs/1903.01504>). 

60 Energy suppliers must take all reasonable steps to roll out smart meters to all their domestic and small 

business customers by the end of 2020 (Gas Supplier Standard Licence Condition 33 and Electricity 

Supplier Standard Licence Condition 39). See Ofgem, ‘Licence Guide: Smart Metering’ (2019). 

Centre for Connected and Autonomous Vehicles, ‘Code of Practice: Automated Vehicle Trialling’ 

(2019) Department for Transport. 

62 The main provisions about drones (or small unmanned aircraft) are under the Air Navigation Order, 
arts 94, 94A, 94B, 95, and 241. 

63 Guido Noto La Diega, ‘Clouds of Things: Data Protection and Consumer Law at the Intersection 
of Cloud Computing and the Internet of Things in the United Kingdom’ (2016) 9(1) Journal of 
Law & Economic Regulation 69. 
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systems, dependent on their (inter)connectivity and system-of-systems dimension. 
‘Repurposing’ can be understood as the phenomenon whereby an IoT system ends 
up being used for purposes other than those originally foreseen in two scenarios: 


(i) The communication within the relevant subsystem and among subsystems can 
lead the system to perform actions and produce information which the single 
Thing was incapable of or that could not be foreseen by its manufacturers; and 

(ii) Under certain conditions (e.g. an emergency) the system may reconfigure 
either in an automated fashion or a user-initiated one. 


A sectoral approach to regulation presupposes a static and isolated view of Things 
as devices that can be used only for foreseeable purposes and that are not part of a 
system of Things or of a system of systems. This is not the case, and for example, 
a wristband designed for leisure and sport purposes can become a health device, 
depending on the context and the interactions with other Things. 

The technical complexity is another reason of the difficulty to agree on a single 
IoT taxonomy. At a higher level, this means that despite the IoT being advertised 
as making things simple,“ the technologies involved are often unknown to the 
general public, which may now be familiar with the meaning of cloud computing 
but could still not understand what the meaning of RFID, Near-Field Communica- 
tion (NFC),°® Low Energy Bluetooth (LEB), and ZigBee is.® Education is needed 
to raise awareness on, and therefore trust in, the IoT. Technical complexity also 
means that computer scientists and engineers are still struggling with some tech- 
nical aspects, for instance, those related to hardware constraints (small interfaces, 
reduced energy autonomy, difficulties in encryption), multitenancy (every Thing 
can be controlled by several people in numerous — potentially conflicting — ways), 
and the importance of tracking data throughout the systemic flow, thus ensuring 
integrity and validity (e.g. information flow control,*’ sticky policies, etc.). The 


64 Case C-311/11 P Smart Technologies ULC v Office for Harmonisation in the Internal Market 
(Trade Marks and Designs) (OHIM) (CJEU, 12 July 2012). In this case, regarding the mark ‘Wir 
machen das Besondere Einfach’ (we make special things simple), the court observed that OHIM 
does not need ad hoc evidence when taking well-known facts into consideration in its assessment; 
one of them is that many undertakings assert in their advertising for smart technologies that their 
products are simple to use (ibid [15]). 

65 Popularised by Apple Pay and Google Pay, near-field communication, or NFC, is a ‘form of con- 
tactless, close proximity, radio communications based on radio-frequency identification (RFID) 
technology’ (Rick Ayers, Sam Brothers and Wayne Jansen, Guidelines on Mobile Device Foren- 
sics) (National Institute of Standards and Technology 2014) NIST SP 800-101r1, 70). For an 
example of use of NFC in an IoT context, see Daniel Palma and others, ‘An Internet of Things 
Example: Classrooms Access Control over Near Field Communication’ (2014) 14 Sensors 6998. 

66 ZigBee is a proprietary standard which defines a set of communication protocols and is suitable for 
applications with low cost, low data rate, and long battery life requirements. 

67 These decentralised systems allow the controlled exchange of data between Things in compliance 
with pre-established policies. 

68 These are machine-readable policies that ‘stick’ to data to define allowed usage and obligations. 
Sticky policies are particularly useful in the IoT because they enable a secure and privacy-compli- 
ant processing and storing of data at edges of the network. 
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technical complexity of the IoT begs some foundational questions. Can regula- 
tion resolve the technical problems of the IoT? Is it wise to regulate a phenom- 
enon that is too complex to be fully understood and that has not reached maturity 
yet? Should regulation prevent the deployment of Things whose underlying tech- 
nologies are still in their early stages and thus vulnerable? Some solutions may 
be provided by the technology itself; others will require legal change. It seems 
increasingly clear that any strategy that relies either only on technological solu- 
tions or on legal solutions would be affected by reductionist regulatory trends that 
go by the name of techno-legal solutionism.” 

Understanding the enabling technologies of the IoT is important for a proper 
regulation of the phenomenon. Among these, connectivity deserves separate 
attention because it is crucial for the existence itself of the IoT and it is linked to 
interoperability (or lack thereof); that is one of the main reasons that it is impor- 
tant, yet difficult, to regulate. Things that do not connect and are not interoperable 
lead to what we can call the Internet of Silos, which is due mainly to two fac- 
tors. First, IoT data is often held in ‘silos’ that are “difficult to integrate without 
time-consuming data discovery and licensing.’”? Second, IoT platforms can be 
vendor- and industry-specific, with few opportunities for smaller businesses to 
join.”! Things are heterogeneous, and for their connectivity to function, ‘differ- 
ent networking and communication technologies are used,’ such as software- 
defined networking,” cellular,”* low-range wireless area network,” IPv6 over 


69 cf Lina Dencik and Ame Hintz, ‘Civil Society in an Age of Surveillance: Beyond Techno- 
Legal Solutionism?’ (Civil Society Futures, 26 April 2017) <https://civilsocietyfutures.org/ 
civil-society-in-an-age-of-surveillance-beyond-techno-legal-solutionism/>. 

70 Brown (n 79) 14. 

71 ibid 19. 

72 Yaqoob and others (n 112). 

73 Also known as SDN, this is ‘a technology that allows separation of control and data planes and 
brings network programmability to the realm of advanced data forwarding mechanisms’ (Khalid 
Halba and Charif Mahmoudi, ‘In-Vehicle Software Defined Networking: An Enabler for Data 
Interoperability’ Proceedings of the 2nd International Conference on Information System and 
Data Mining — ICISDM ’18 (ACM Press 2018)). SDN enables heterogeneous data flows to be 
exchanged and is therefore useful in an IoT context. 

74 For long-distance operations, Things often rely on GSM, 3G, and 4G. This is seen as ‘the most 
ideal for the sensor-based low-bandwidth-data projects’ (Yaqoob and others (n 62) 12). On spec- 
trum scarcity and cross-technology interference, see Vijay K Shah and others, ‘Designing Green 
Communication Systems for Smart and Connected Communities via Dynamic Spectrum Access’ 
(2018) 14 ACM Transactions on Sensor Networks 1. 

75 Hailed as a key enabler of the IoT (Nicolas Ducrot and others, LoRa Device Developer Guide 
(Orange Connected Objects & Partnerships and Actility 2016)), LoRaWAN is one of the most suc- 
cessful technologies in the low-power wide area networking (LPWAN) space. Like all LPWAN 
technologies, it is characterised by low data rate and robust modulation to achieve a multikilometre 
communication range (Ferran Adelantado and others, ‘Understanding the Limits of LORaWAN’ 
(2017) 55 IEEE Communications Magazine 34). Thanks to its low data rate, it features low power 
consumption, whilst a single gateway can cover a range of tens of kilometres and serve up to thou- 
sands of Things (ibid 40). 
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Low-Power Wireless Personal Area Networks,’° Neul,” and Sigfox.’® One of the 
reasons of this proliferation is that in the IoT, ‘there is not a single solution for all 
the possible connectivity needs.’” 

The Internet of Silos constitutes a threat to the functioning of the IoT — for 
example, if Amazon Echo cannot control noninteroperable lightbulbs. However, 
it goes beyond this, and it can affect the security of the IoT and, hence, user safety. 
Autonomous cars provide a useful case study, in that a lack of communication 
between the Things inside the vehicle can lead to high degree of vulnerability. 
If the radar system does not trigger the electronic stability control, the car may 
not be able to ensure user safety in high-risk situations.®° The lack of interoper- 
ability is often due to the adoption of proprietary systems (e.g. Apple)*! and to 
the limited development of generally accepted standards.** On the face of it, the 
former may be dealt with from an antitrust perspective, for example, arguing an 
abuse of dominant position® by the owner of a standard essential patent (SEP), as 


76 6LowPAN is ‘an adaptation layer for IPv6 that addresses device limitations by means of header 
compression and protocol optimizations’ (The British Standards Institute, ‘Intelligent Transport 
Systems — Communications Access for Land Mobiles (CALM) — 6LoWPAN Networking’ (2016) 
BS ISO 19079:2016, v). IPv6, or Internet Protocol version 6, is a data communication protocol 
towards which traditional internet protocols (IPv4) are migrating. Since the pool of public addresses 
in IPv4 exhausted in 2011, the shift to the new version, which has 128-bit address, will allow 
every Thing to be uniquely identifiable. See International Electrotechnical Commission, ‘Power 
Systems Management and Associated Information Exchange — Part 200: Guidelines for Migra- 
tion from Internet Protocol Version 4 (IPv4) to Internet Protocol Version 6 (IPv6)’ (2015) IEC TR 
62357-200 6. 6LOWPAN allows several Things to be deployed in local wireless sensor networks 
using the ‘address space of IPv6 for data and information harvesting through the Internet’ (Anhtuan 
Le and others, ‘6LoWPAN: A Study on QoS Security Threats and Countermeasures Using Intrusion 
Detection System Approach’ (2012) 25 International Journal of Communication Systems 1189). 

77 Neul is a ‘weightless wide range wireless networking technology designed to support loT’ (Yaqoob 
and others (n 62) 12). 

78 As noted by Radek Fujdiak and others, ‘On Track of Sigfox Confidentiality with End-to-End 
Encryption’ Proceedings of the 13th International Conference on Availability, Reliability and 
Security — ARES 2018 (ACM Press 2018), like all LPWANs, proprietary communication technol- 
ogy SigFox is low-cost, low-power, long-range, and it can harvest information from millions of 
nodes. Although it has some security issues, it strikes a balance between security, performance, and 
low cost (Thomas Eisenbarth and others, ‘A Survey of Lightweight-Cryptography Implementa- 
tions’ (2007) 24 IEEE Design & Test of Computers 522). 

79 Adelantado and others (n 81) refer to the low-power M2M fragmented connectivity space, but the 
assertion can be applied to IoT connectivity more generally. 

80 Halba and Mahmoudi (n 129). 

81 This is a common issue, as exemplified by Google’s domotics brand Nest, which warns users that 
they should use Nest products (e.g. the thermostat) only with Things designated by Nest as com- 
patible. Third-party Things that do not carry such designation may not work or may have limited 
functionality, and Nest disclaims all liability related to the use of unauthorised Things. See Nest 
Terms of Service as updated on 23 May 2018, para 4(q) <nest.com/legal/terms-of-service/>. 

82 Jack Moore, ‘Will Government Regulation Kill the Internet of Things?’ (Nextgov.com, 8 December 2014) 
<www.nextgov.com/emerging-tech/2014/12/will-government-regulation-kill-internet-things/100695/>. 

83 Giuseppe Mazziotti, ‘Did Apple’s Refusal to License Proprietary Information Enabling Interoper- 
ability with Its [Pod Music Player Constitute an Abuse under Article 82 of the EC Treaty?’ (2005) 
28 World Competition 253. 
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will be explored in Chapter 6. As to the latter, in September 2018, ISO published 
the world’s first standard reference architecture for the IoT.*4 This document 
describes the generic characteristics of IoT systems,® a conceptual model outlin- 
ing the key concepts of the IoT,°° a reference model,*’ and a set of architecture 
views, i.e. functional, system, networking, and usage view. Thus, it guides those 
who develop IoT systems and ‘aims to give a better understanding of IoT systems 
to the stakeholders of such systems, including device manufacturers, application 
developers, customers and users.’** This standard is a positive development, and it 
may lead to the adoption of a common language in the IoT world, thus ultimately 
favouring interoperability and overcoming the Internet of Silos. However, four 
critiques can be moved to this laudable effort. 

First, there is a fragmented approach to the ‘law by design’ question. By ‘law by 
design’ we mean the adoption of technical and organisational measures to comply 
with relevant laws, from the initial moments of the design of the product or ser- 
vice. An example of this approach is data protection by design principle that has 
been mandated by the GDPR.* The new ISO standard imperfectly deals with the 
‘law by design’ question. For example, the standard considers compliance as one 
of the characteristics of an IoT system, and it refers to ‘a variety of laws, policies 
or regulations. ’®? However, this standard regards as relevant for the IoT only the 
regulations that deal with interoperability, safety, radio frequencies, and consumer 
protection. Surprisingly, especially given the rise of the data protection by design 
principle, data protection laws are not considered in the compliance section. They 
are, conversely, separately dealt with as trustworthiness-related characteristics. 
Another drawback of the standard is that it refers to ‘personally identifiable infor- 
mation’ (PII), a typically American way to refer to personal data.°' This is prob- 
lematic because PII is ‘any information that (a) can be used to establish a link 
between the information and the natural person to whom such information relates, 


84 ISO and IEC (n 38). 

85 These are divided into trustworthiness, architecture, and functional characteristics. See ibid 13. 

86 These are entity, digital entity, physical entity, loT-user, network, identity, and domain. Entities 
can be a person, an organisation, a Thing, a subsystem, or a combination thereof. Entities are sub- 
divided in the Thing (physical), the IT systems (digital), the user (IoT-user), and communication 
networks (network). Entities are associated with identifiers that allow them to communicate with 
other entities. loT systems are analysed as subsystems, where entities are grouped based on a com- 
mon purpose, i.e. a domain. Subsystems and entities within a domain interact with each other and 
with subsystems and entities from other domains. ibid 33. 

87 The overall structure of the architecture’s elements is broken down into an entity-based reference 
model and a domain-based one. More information ibid 42—44. 

88 ibid 10. 

89 GDPR, art 25. 

90 ISO and IEC (n 18) 25. 

91 On the differences between the US and the EU approach to data protection and a proposal to bridge 
them, see Paul M Schwartz and Daniel J Solove, ‘Reconciling Personal Information in the United 
States and European Union Essay’ (2014) 102 California Law Review 877. 
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or (b) is or can be directly or indirectly linked to a natural person.’’? Conversely, 
in the EU, personal data is broader in that it refers to ‘any information relating 
to an identified or identifiable natural person.’ To determine whether a natural 
person is identifiable, in the EU, account must be taken of ‘all the means reason- 
ably likely to be used, such as singling out, either by the controller or by another 
person to identify the natural person directly or indirectly.’** This suggests that 
compliance with the standard may expose the IoT controller to a violation of EU 
data protection laws. 

Second, it is important to keep in mind that often, despite the existence of stan- 
dards, if the market is oligopolistic, there can be issues of lack of interoperabil- 
ity linked to proprietary software, network effects, and lock-in.” These could be 
partly resolved by tweaking the Software Directive” in order to expressly allow 
the ‘sharing of interface specifications obtained by decompilation.’?’ However, 
this does not necessarily resolve the problems created by other intellectual prop- 
erty rights (e.g. trade secrets), as well as by technological protection measures 
and contracts.’ 

Third, even though in theory this standard is ‘neutral,’ as it is usable by anyone 
in any context, it owes much to previous standards that were developed for dif- 
ferent applications and stakeholders,” namely, smart grids,'°° transport,'®! and 
cities;!°? thus, the result is necessarily affected and not genuinely neutral. Finally, 
several entities keep working on IoT standardisation in an uncoordinated fashion. 
These include AIOTI — the European Alliance for Internet of Things Innovation; 


92 ISO and IEC, ‘Information Technology — Security Techniques — Code of Practice for Protection 
of Personally Identifiable Information (PII) in Public Clouds Acting as PII Processors’ (2019) r 
ISO/IEC 27018:2019(E) 3.2. 

93 GDPR, art 4(1). Although different, the element of the ‘link’ has some relevance also in our 
jurisdiction, as exemplified by Efifiom Edem v Information Commissioner and Financial Services 
Authority [2014] EWCA Civ 92. In Edem, it was decided that the biographical significance and 
focus tests, whereby data is personal only if it has biographical significance and focuses on the 
individual affecting their privacy, apply only when the data requested is not obviously about an 
individual or clearly linked to them. Thus, the court restricted the applicability of those tests as 
laid out in Durant v Financial Services Authority [2003] EWCA Civ 1746. 

94 GDPR, recital 26. 

95 Sally Weston, ‘Improving Interoperability by Encouraging the Sharing of Interface Specifica- 
tions’ (2017) 9 Law, Innovation and Technology 78. 

96 Directive 2009/24/EC on the legal protection of computer programs [2009] OJ L 111/16, art 6. 

97 ibid 78. 

98 cf Josef Drexl, ‘Designing Competitive Markets for Industrial Data. Between Propertisation and 
Access’ (2017) 8 JIPITEC 257; Guido Noto La Diega, ‘Artificial Intelligence and Databases in 
the Age of Big Machine Data’ (2019) 25 AIDA 2018 93. 

99 Brown (n 79) 13. 

100 There are thirteen international standards on smart grids. See e.g. PD IEC TS 62872-1:2019 and 
BS IEC SRD 62913-1:2019. 

101 There are eight international standards on smart transport. See e.g. BS ISO 37154:2017 and 
18/30350145 DC. 

102 There are fourteen international standards on smart cities. See e.g. BS ISO/IEC 30182:2017 and 
PAS 184:2017. 
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IIC — the Industrial Internet Consortium; ISO/IEC JTC 1 — Working Group 10 on 
the Internet of Things; ITU-T — International Telecommunications Union Joint 
Coordination Activity on Internet of Things and Smart Cities and Communities; 
as well as W3C — the World Wide Web consortium and their Web of Things inter- 
est group. !°% 

The difficulty to identify one IoT taxonomy, because of the sectoral fragmenta- 
tion and the technological complexity, is not the only reason that regulating the 
IoT is a complicated matter. Indeed, the intricacy of the supply chain is a key 
factor to consider. 

A second element contributes to explain the difficulties in regulating the IoT 
and in understanding how existing laws apply to it: the intrinsically transnational 
character of the Things. 


1.3.2 Where Are the Things? Regulation, Law, and Jurisdiction in 
Intrinsically Transnational Systems 


As Bauman put it, in modern times, ‘(p)ower can move with the speed of the 
electronic signal — and so the time required for the movement of its essential 
ingredients has been reduced to instantaneity. For all practical purposes, power 
has become truly exterritorial.’!°* With the IoT, power becomes fluid in the sense 
that it is both territorial and extraterritorial at the same time. 

To understand who should regulate the IoT, which laws apply, and which court 
has jurisdiction, one should geographically locate the Thing at issue. This is no 
easy task, given that we are talking about an inextricable mixture of hardware, 
software, service, and data. To respond to the question ‘Where is the Thing?’ it is 
useful to go back to the beginning of the internet, when the legitimacy of national 
laws to regulate cyberspace was first called into question. Being that the IoT is a 
species of the genus ‘Internet,’ it inherits the issues of the latter,’ although they 
can be exacerbated, as is the case with the matter at hand. 

When the internet was invented, it was perceived as a stateless space where any 
traditional law had to be avoided because it could have nipped in the bud a nascent 
industry; traditionally territorial legal categories, it was argued, could not apply to 
the internet.'°° Those days are long gone; the internet has become centralised and 
controlled by few transnational corporations that are often more powerful than 
states, and the latter have reacted with a proliferation of attempts to regulate the 
internet, with national authorities endeavouring to enforce domestic law beyond 


103 Henri Barthel et al., “GS1 and the Internet of Things’ (2016). 

104 Zygmunt Bauman, Liquid Modernity (Polity Press; Blackwell 2000) 10-11. Emphasis added. 

105 ITU (n 18). 

106 See, e.g. the calls on the government to leave cyberspace alone and the claim that the former had 
no sovereignty online, in John Perry Barlow, ‘Declaration of Independence for Cyberspace.’ For 
a criticism of his rhetorical strategies, see Aimée Hope Morrison, ‘An Impossible Future: John 
Perry Barlow’s “Declaration of the Independence of Cyberspace” (2009) 11 New Media & Soci- 
ety 53. 
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their territories.!°’ The change in the industry legitimates a change in regulatory 


attitudes, but it does not justify the current attempts that are often uncoordinated, 
not technologically aware, bordering on vexatious. Internet regulation brings to 
mind the pamphlet Yet Another Effort, Frenchmen, before You Call Yourselves 
Republicans, included by the Marquis de Sade in his 1795 book Philosophy in the 
Bedroom.'® There, one can find a passionate attack on universal laws, regarded as 
absurd and necessarily exceptional: ‘the punishment of a man for violating a law 
which he cannot observe is no more just than the punishment of a blind man for 
failing to differentiate colors.’!© It is fair to say that the many laws of the internet 
are intricate — and their attempts to extraterritorial enforcement so contradictory — 
that many companies operating online cannot be reasonably expected to comply 
with all the cyberlaws, whose colours, to recall de Sade’s metaphor, they can- 
not see. Expecting such compliance would often require that these companies 
infringe upon Aristotle’s principle of noncontradiction.''° 

The IoT contributes to overcoming the depiction of the internet as stateless 
and lawless inasmuch as that depiction was predicated on the dichotomy between 
online and offline.!'!! The rationale that the internet is a separate world where 
separate (no) rules apply becomes untenable when all of us have become con- 
stituent parts of the infosphere,'!* constantly online through our Things,'!? nodes 
of the internet infrastructure.''t This has been regarded as a positive shift with 
potential for increased solidarity, empathy, and democratisation of the internet.!!5 
However, risks of loss of autonomy, self-determination, and privacy should not 
be overlooked. 

Whereas there are good reasons to regulate the IoT, it is difficult to identify 
which authority has legitimacy to regulate, what the applicable law is, and which 
courts have jurisdiction!!® in a context where hardware, software, service, and 
data are inextricably mixed and simultaneously online and offline, with each 
component and subcomponent potentially being owned, controlled, or provided 
by several private and public entities located in different countries. The task to 
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resolve complex cross-border issues has been traditionally undertaken by private 
international law.!!” However, perhaps surprisingly, most states’ private interna- 
tional laws do not provide for jurisdictional claims over any internet content that 
can be accessed in their respective territories, let alone the application of their 
own laws.!!8 For this reason, this section will focus on four attempts to regulate 
the IoT in a way that accounts for the Things’ intrinsically transnational dimen- 
sion. These attempts regard data protection, cross-border portability of online 
content, geoblocking, and free flow of nonpersonal data. 

When the legal issues in the IoT started being investigated, it became clear that 
a problem of utmost importance concerned cross-border data flows, ‘which occur 
when IoT devices collect data about people in one jurisdiction and transmit it to 
another jurisdiction with different data protection laws for processing.’!'? Whilst 
this problem is not specific to the IoT, it becomes more pressing with Things 
that generate ‘big machine data’!”° and are intrinsically cross-border due to their 
architecture and supply chain. For example, these Things can automatically con- 
nect to other Things!?! and transmit information across borders,!?? which begs 
the question, to what extent can liability be placed on those who cannot predict 
the data flows?!” This has practical consequences also in light of the case law 
epitomised by Dow Jones & Co. Inc. v. Gutnic!™ based on the presumption that 
online publication is targeted to all states on the fact that ‘[h]owever broad may be 
the reach of any particular means of communication, those who make information 
accessible by a particular method do so knowing of the reach that their informa- 
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tion may have.’!?° Such foreseeability would seem to be less certain in a time of 
automated IoT communications. 

A well-known way to deal with the issue is the GDPR’s very broad extrater- 
ritorial application clause.!?6 Whilst the GDPR’s extraterritorial clause could 
be seen as an extreme way of dealing with the transnational nature of many 
sociotechnological phenomena, including the IoT, the following section will 
deal with three understudied and overall more moderate strategies, all of which 
fall under the so-called Digital Single Market (DSM).!?’ The idea dates back 
to 2005, when the European Commission launched i2010, a strategy aiming 
primarily to ‘establish a European information space, i.e. a true single market 
for the digital economy.’!?8 Only three years later, however, during the midterm 
review, the Commission identified new themes to consider for a longer-term 
agenda for the EU that included, for the first time expressly, ‘the DSM.’ 19 
The latter became a goal of the EU in 2015, when the DSM Strategy'*° was 
launched with the aim to create a single market where ‘the free movement of 
goods, persons, services and capital is ensured and where individuals and busi- 
nesses can seamlessly access and exercise online activities,’ irrespective of 
nationality or residence, pursuant to fair competition, consumer protection, and 
data protection. The pillars of the DSM strategy are access, environment, econ- 
omy, and society. First, the implementation promises to lead to better access 
for consumers and businesses to digital goods and services across Europe. For 
example, the new Payment Services Directive!?! made sure that new providers 
of innovative payment services could compete on equal terms,'*? while ensur- 
ing high levels of security through strong customer authentication.'*> Second, 
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it aims to create the right conditions and a level playing field for digital net- 
works and innovative services to flourish (e.g. the end of roaming charges).'*4 
Third, it wants to maximise the growth potential of the digital economy.!*> For 
example, since 2019 online marketplaces and search engines must disclose 
the main parameters they use to rank goods and services.'!° Whilst the DSM 
strategy may greatly benefit IoT stakeholders, it seems vitiated by the reliance 
on the same dichotomies that the IoT disrupted. The idea itself of a separate 
‘digital’ strategy, for example, reflects the outdated view of a divide between 
online and offline. 

The strategy has led to 28 legislative interventions,'*’ the most (in)famous!* of 
which is the EU reform of copyright,'*? introducing the so-called upload filter!*° 
and a new publishers’ right.'*! Whilst sharing the concerns that this reform risks 
being useless if not dangerous,'*? the DSM Copyright Directive does not tackle 
any of the cross-border issues that are important for the IoT. Therefore, the focus 
of this section will be on three other DSM measures that are relevant from a cross- 
border and IoT perspective: the reforms of portability of online content services, 
geoblocking, and free flow of nonpersonal data. 

In 2020, the DSM strategy was rebranded ‘European Digital Strategy’ and led, 
most famously, to the Digital Services Act and the Digital Markets Act.!*° 
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1.3.2.1 Netflix Law: The Cross-Border Service Portability Regulation 
and the Indirect Reform of Copyright’s Territoriality: 
Ubiquitous Access to Online Content Services for 
Ubiquitous Computing 


Whereas providers of traditional ‘offline’ services have been relying on the EU 
Treaties’ freedoms since at least 1974,'*4 until recently the same was not always 
true for online services.!* 

The resulting fragmentation of the audiovisual media market was — and to 
some extent still is — mainly due to the principle of territoriality of copyright, 
including broadcasting rights.'4° Most Europeans access copyright content, 
such as films and music online, increasingly through Things other than comput- 
ers.'4” Therefore, the resulting discriminatory practices adversely affected IoT 
providers and consumers, since the whole point of buying (or renting) a Thing 
and not a traditional device is to access its ‘smart’ components, which often 
entail audiovisual content. This is reflected in the rise of the concept of complex 
multimedia product in European jurisprudence.!4* If a consumer travels from 
one member state to another and, by doing so, can no longer use the Thing 
because the audiovisual content becomes unavailable, this would profoundly 
affect the Thing as a whole. Let us imagine that a consumer buys an Amazon 
Echo in the UK and then relocates to Italy to write a book about the IoT; if the 
consumer can no longer access Echo’s services, they are left with an expensive 
Coke can—-shaped speaker. 

A reform of copyright’s principle of territoriality would have been the ideal 
way to overcome some of these issues. Instead, in June 2017 the EU introduced 
the Cross-Border Service Portability Regulation.!*? This recognised that the 
‘proliferation of portable devices such as laptops, tablets and smartphones are 
increasingly facilitating the use of online content services by providing access to 
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them regardless of the location of consumers.’!5° Accordingly, it introduced the 
cross-border portability of online content services, by ensuring that subscribers to 
portable, paid-for'>! online content services (e.g. Netflix and Spotify) ‘which are 
lawfully provided in their Member State of residence can access and use those ser- 
vices when temporarily present in a Member State other than their Member State 
of residence.’ !>? Thus, the regulation overcame the main barrier to the free move- 
ment of audiovisual content throughout the EU, which stemmed from the fact that 
the ‘rights for the transmission of content protected by copyright or related rights, 
such as audiovisual works, are often licensed on a territorial basis.’!°? This hinders 
the DSM because the acquisition of a licence for relevant rights is not always 
possible, in particular when rights in content are licensed on an exclusive basis. !54 

From this book’s perspective, this regulation is relevant for at least six reasons. 
First, although this regulation does not have a provision on the territorial scope 
of the jurisdiction, it can be inferred that it only applies to the companies with an 
establishment in a member state and providing online content services to con- 
sumers in the European Economic Area.!55 Hence, a moderate approach to juris- 
diction without overreaching risks. Second, more generally, it acknowledges the 
importance of ensuring ubiquitous access to audiovisual contents, broadcasts, and 
other protected works in an IoT world. Third, allowing lawful users of audiovisual 
content and broadcasts to retain access to the relevant online services if temporar- 
ily abroad is an insufficient response to the problems connected to copyright’s 
territoriality, which would have been better resolved in the context of a copyright 
reform. The territoriality of copyright laws is still an issue that, if not adequately 
resolved, will keep preventing the IoT from growing.'°° Indeed, a more organic 
and ideally international reform of copyright, including territoriality and subject 
matter,!5 is needed because we live in an age where copyright materials circulate 
through digital flows that cross border continuously; in such an age, some pre- 
internet principles are no longer fit for their purpose.!58 Fourth, this regulation for 
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the first time openly confesses the real purpose of consumer laws, that is, not pro- 
tecting consumers as such. Consumers are protected only as a means to the actual 
end of realising a more competitive market.!® Indeed, the opening of the regula- 
tion is adamant in stating that the reasons for ensuring seamless access to online 
content services throughout the EU are ‘the smooth functioning of the internal 
market and . . . the effective application of the principles of free movement of per- 
sons and services.’!® Fifth, the Cross-Border Service Portability Regulation, like 
the GDPR,'°! recognises that private ordering by means of contracts (including 
copyright licences) can frustrate the public interest, be it the fundamental rights 
to privacy and data protection or, in this instance, the principle of free competi- 
tion. Indeed, it provides that ‘[a]ny contractual provisions . . . which are con- 
trary to this Regulation, including those which prohibit cross-border portability of 
online content services or limit such portability to a specific time period, shall be 
unenforceable.’'®* This legal innovation explains Netflix’s vaguely worded terms 
of use, whereby 


You may view the Netflix content primarily within the country in which you 
have established your account and only in geographic locations where we 
offer our service and have licensed such content. The content that may be 
available to watch will vary by geographic location and will change from 
time to time.'® 


These terms must be interpreted as not allowing restrictions for intra-EEA trav- 
ellers. The unenforceability of contractual circumventions echoes similar provi- 
sions whereby contracts that purport to circumvent copyright defences are null 
and void.'4 These are becoming increasingly common, as illustrated by the copy- 
right in the DSM Directive. Nor are they limited to copyright and business-to- 
consumer contracts in the audiovisual market. For example, as of July 2020, the 
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Platform to Business Regulation'® imposes fairer and transparent terms in the rela- 
tionships between business users and providers of online intermediation services. 
Non-compliant terms and changes without notice are ‘null and void, that is, 
deemed to have never existed, with effects erga omnes and ex tunc.’ !®6 Although 
this prevalence of statutory provisions on contractual terms does not apply across 
the board, it is hoped that it will become a standard feature of the regulation of 
online relationships as it contributes to tackling a power imbalance that the IoT 
has nothing but exacerbated. 

Finally, the Cross-Border Service Portability Regulation’s scope relies on the 
divide between free and paid-for services.'!® The rationale of the exclusion of 
providers of online content services that are provided without payment of money 
is that these companies could not afford the ‘disproportionate costs’!® of com- 
pliance, for example, to implement a mechanism to verify the member state of 
residence of the subscribers.'!® This may sound naive to those who are aware that, 
with the advent of the business models that have replaced subscription fees with 
the harnessing of the users’ personal data, the free/paid-for distinction no longer 
holds. 17° 

Another measure that tackles the tension between transnationality of Things 
and territoriality of laws is the Geoblocking Regulation,!”! which can be seen as 
complementing the right to service portability. 


1.3.2.2 The EU Ban on Unjustified Geoblocking or the Illusion of 
Realising a DSM without Reforming Intellectual Property Laws 


Applicable as of 3 December 2018, the Geoblocking Regulation ensures that con- 
sumers can access goods and services online without worrying about discrimina- 
tion or geographically based restrictions. Traders would adopt geoblocking and 
other discriminatory practices that denied or limited access to goods or services 
by customers wishing to engage in cross-border transactions. Geoblocking occurs 
when these customers have no or limited access to other member states’ traders’ 
online interfaces (e.g. unavailable websites and apps).!7? For example, an Echo 
Show bought in the UK may not provide access to Amazon’s shopping interface 
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if the user carried the device to Italy.!” ‘Other discriminatory practices,’ in turn, 
occurs when, despite the absence of objective reasons, certain traders apply dif- 
ferent general conditions of access to their goods and services with respect to such 
customers from other member states.!”* Linking back to the IoT, this would be the 
case if Google Home used the GPS sensor to offer personalised pricing. 

To tackle the more general underlying problem, the Geoblocking Regulation 
introduced four main provisions, i.e. the prohibition to: 


(1) Block or limit consumers’ access to an online interface; 

(ii) Redirect consumers to a version of an online interface based on their nation- 
ality or place of residence that is different from the online interface to which 
the consumers first sought access; 

(iii) Apply different general conditions of access when selling goods or providing 
services in situations laid down in the Geoblocking Regulation; and 

(iv) Accept payment instruments issued in another member state on a discrimina- 
tory basis. 


Overall, if implemented and enforced adequately, the Geoblocking Regulation 
may benefit IoT stakeholders and consumers because it prevents fragmentation 
and overcomes the online-offline divide, in that it applies to both online and 
offline sales of goods and services, ‘as well as cases where these two channels are 
integrated.’'7> However, there are at least three reasons for criticism. 

First, the regulation does not outlaw geoblocking and discriminatory practices 
as such, but only to the extent and in the event that they are not objectively justi- 
fied. What an objective justification means is not entirely clear. Article 4 defines 
certain situations ‘where there can be no justified reason,’!”° but it does not define 
the concept of ‘objective justification.’ For instance, traders are never justified 
when they discriminate against customers that seek to receive services from a 
trader, other than electronically supplied services, in a physical location within the 
territory of a member state where the trader operates.!” Even in these scenarios 
where the discrimination is considered unjustified by the regulation, geoblock- 
ing or differential treatment may still be allowed where an EU or national legal 
requirement (in compliance with EU law) obliges the trader to block access to the 
goods or services offered.'7* If understanding which discriminatory practices are 
unjustified is difficult, having a grasp of what is ‘objectively justified’ is a Sisyph- 
ean task. The regulation does not say much apart from the fact that ‘[d]ifferent 
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treatment . . . should be based only on objective and well justified reasons.”!” 


The European Commission’s guidance!* does not meaningfully elaborate on this 
point. It tells the reader that the general prohibition of discrimination on grounds 
of nationality'*' is specified by the Services Directive,'®? which allows differ- 
ences in the conditions of access where those differences are directly justified by 
objective criteria. Examples of these are the lack of the required IPRs in a par- 
ticular territory and the additional costs incurred because of the distance involved 
or the technical characteristics of the provision of the service.'®? To understand 
what can be objectively justified, one can also consider EU antitrust case law on 
discrimination of consumers by nationality and/or residence.'*4 For example, in 
the Deutsche Post AG case,'® the world’s largest courier company was held to be 
abusively imposing discriminatory pricing to letter mail coming from the UK as 
‘different tariffs . . . cannot be justified on the basis of objective economic factors 
[as they do not have] sufficient or reasonable relationship to real costs or to the 
real value of the service provided.’ !86 The lack of guidance affects that same legal 
certainty that the regulation wanted to improve.'*’ For example, it is difficult to 
foresee how Alibaba’s Transaction Service Agreement will play out in European 
courts as much as it provides that 


The types of Online Transactions and other benefits, features and functions 
of the Transaction Services available to a registered member may vary for 
different countries and regions. No warranty or representation is given that 
the same type and extent of transactions, benefits, features and functions will 
be available to all members. !88 


This agreement cannot be interpreted as giving the Chinese e-commerce giant 
discretion as to carry out discriminatory practices, including geoblocking: they 
have to be based on objective and well-justified reasons. 
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Second, with regards to the prohibition to apply different general conditions 
to the access to goods and services, the weak point is that the provision does not 
apply to ‘services the main feature of which is the provision of access to and use 
of copyright protected works or other protected subject matter.’!*? The regulation 
is designed not to affect the rules applicable in the field of copyright and neigh- 
bouring rights.'°° It follows that copyright and other intellectual property rights 
(IPRs) may also nullify the effect of other geoblocking-related prohibitions. For 
example, the provision that allows the block of the access to online interfaces 
and the redirection when ‘necessary in order to ensure compliance with a legal 
requirement’ °?! may be interpreted as meaning that said block and redirection are 
permitted when they have the purpose of protecting copyright materials. Given 
the fact that many aspects of a Thing are covered by IPRs,'” it is fair to say that 
copyright — including licences and technical protection measures — may be used 
to factually reintroduce discriminatory access conditions for Thing users based 
on their nationality, residence, or establishment, thus effectively sidestepping 
the prohibition of geoblocking and other discriminatory practices. If the Cross- 
Border Service Portability Regulation was open to criticism because it constituted 
an indirect and imperfect way to reform copyright’s territoriality, the Geoblocking 
Regulation is worse in that it rests on the illusion that [P-enabled discriminatory 
practices can be resolved without dealing with IP in the first place. Along the 
same lines, the latter regulation excludes audiovisual services from the scope of 
the regulation.'*? This means that IoT manufacturers could geoblock some of their 
services, thus affecting the ‘smartness’ of the Thing as a whole. In November 
2020, the Commission reported on the evaluation of this regulation.'°* This could 
have been the opportunity to extend it to copyright content and audiovisual ser- 
vices; this would have greatly benefitted IoT stakeholders and consumers. Instead, 
the Commission concluded that, despite the potential benefits for consumers, the 
inclusion of copyright-protected content needs to be further assessed,!°° and it 
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will launch a stakeholder dialogue with the audiovisual sector in order to improve 
consumers’ access to audiovisual content across the EU.!° 

Third, the geographical scope of the Geoblocking Regulation is not entirely 
clear. A passage in one of the recitals!’ reads that the regulation aims to fur- 
ther clarify the Services Directive by defining certain situations where differ- 
ent treatment based on nationality, place of residence, or place of establishment 
cannot be justified. However, geoblocking ‘can also arise as a consequence of 
actions by traders established in third countries, which fall outside the scope 
of that Directive.’!°8 This, coupled with the fact that — unlike the Cross-Border 
Service Portability Regulation!” — ‘service’ is defined by referring to Article 57 
TFEU and not also to Article 56 (only the latter refers to an establishment in 
the EU), creates the risk that the regulation may be interpreted as applicable to 
all online provision of goods and services within the European Economic Area 
(EEA) regardless of the establishment. Only purely internal situations, where all 
the relevant elements of the transaction are confined within one single member 
state, would be out of the scope.” Should this be the case — as suggested by the 
European Commission’s*"! and industry guidance??? — this would be an instance 
of jurisdictional overreach similar to the GDPR. By contrast, the DSM measure 
that will be analysed in the next section constitutes a more moderate solution to 
IoT’s transnationality. 


1.3.2.3 The Free-Flow of Nonpersonal Data Regulation between the 
Ban on Data Localisation Laws and the Outdated Personal/ 
Nonpersonal Data Binary 


To realise the DSM, the Commission felt that ensuring service portability and 
geoblocking was not enough. There was the need to address the portability of data 
as such; without it, there was the risk that, practically, IoT users could not avail 
themselves of service portability because services may be, in principle, portable, 
but data would still be locked in. It has been noted that ‘[l]imited user access to 
raw IoT data reduce(d) ability to switch providers (and to understand privacy 
implications).’*° To overcome this issue, the EU adopted another DSM measure: 
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the Free Flow of Non-Personal Data Regulation, applicable as of 28 May 2019, 
introducing some IoT-relevant news. Unlike the GDPR, it does not apply to the 
processing of data of generic ‘data subjects who are in the Union’; instead, it 
applies only to those who formally reside or have an establishment in the EU. 
Moreover, the ‘offering of goods or services’ does not trigger EU jurisdiction; 
only the provision of services of electronic processing of nonpersonal data does. 

The main innovation is that nonpersonal data can now be stored and processed 
anywhere in the EU, and accordingly, ‘[d]ata localisation requirements shall be 
prohibited.’ For example, laws such as the Danish Bookkeeping Act imposing the 
storage of financial data of Danish citizens in Denmark or other Nordic country 
may need to be amended. This is important because Things produce considerable 
amounts of nonpersonal data (so-called industrial data),*°* and data localisation 
laws would prevent the availability of all those Things whose data constantly 
flows from one member state to another and where storage (including cloud stor- 
age) may well take place in a country other than the manufacturer’s. For example, 
if one uses an Amazon Thing, e.g. Echo or Kindle, the ‘[i]nformation provided to 
Amazon may be processed in the cloud to improve [one’s] experience and [Ama- 
zon’s| products and services, and may be stored on servers outside the country in 
which [one] live[s].’?% 

Another provision of interest for IoT stakeholders aims to make it easier for 
professional users to switch cloud service providers. It was felt that whereas con- 
sumer law already smoothens switching in business-to-consumer transactions,” 
there were not similar provisions for business-to-business relationships. There- 
fore, the Free Flow of Non-Personal Data Regulation entrusted the Commission 
with the task of facilitating the adoption of codes of conduct that consider best 
practices for facilitating the switching of service providers and the portability of 
data in a structured, commonly used, and machine-readable format.*°’ Outsourc- 
ing at least part of the processing to cloud providers is a common practice in 
the IoT (hence the ‘Cloud of Things’), and ensuring the possibility of switch- 
ing providers and port data, especially in open standard formats, will be crucial 
for better-quality and interoperable Things.” The codes of conduct should man- 
date open standard formats, ‘where required or requested by the service provider 
receiving the data.’*!° Since openness is pivotal to interoperability and the latter 
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is crucial for the IoT to avoid the ‘Internet of Silos,’ it can be argued that the IoT 
requires openness. Accordingly, the codes of conduct should recommend open 
standards at least when cloud services are provided in an IoT context. 

Finally, the Free Flow of Non-Personal Data Regulation acknowledges that the 
IoT is ‘raising novel legal issues surrounding questions of access to and reuse of 
data, liability, ethics and solidarity.’?!! Perhaps the regulation itself was not the 
best place to deal with these issues, but it is to be hoped that from their awareness 
specific initiatives will follow. 

The combination of personal data portability,?'? service portability,?'? ban on 
unjustified geoblocking,?"4 ban on data localisation requirements,”!> and the prin- 
ciple of exhaustion?!® may be useful for the development of the IoT, increasing 
user control over the Thing, facilitating its circulation throughout the EU, remov- 
ing obstacles to full interoperability, and preventing lock-in. Full portability — of 
data, service, and content — will become even more important in the future IoT, 
when an increasing number of Things will be implanted in our body. If some of 
the components of one’s smart insulin pump are not portable, this would ulti- 
mately impact the free movement of persons. 

The strategy of complementing the GDPR with a separate ad hoc regulation 
on nonpersonal data could be criticised because of two dichotomies that the IoT 
is disrupting: personal-nonpersonal and good-service. This regulation relies on 
the assumption that whilst personal data should be protected, nonpersonal data 
are a commodity that should be subject to the usual free market imperatives.*'” 
This approach is predicated on the dichotomy between personal and nonper- 
sonal data. The latter is untenable because anonymisation does not always pre- 
vent reidentification,”!* and in the IoT, ostensibly nonpersonal and even raw data 
can be combined to identify individuals.?!° And indeed, the guidance that the 
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European Commission offered about the Free Flow of Non-Personal Data Regu- 
lation recognised that in an IoT world, most datasets are comprised of personal 
and nonpersonal data.””° It has been convincingly argued?! that the notion itself 
of nonpersonal data is problematic not only because datasets are mixed and the 
concept of personal data is fluid but also because there is the risk of firms exploit- 
ing regulatory rivalry, and data has economic value irrespective of its legal clas- 
sification. Hopefully, the awareness that the personal/nonpersonal data dichotomy 
should be overcome will permeate future regulations and not only nonbinding 
guidelines. 

As to the second critique — of relying on the good-service dichotomy — this 
applies in varying degrees also to the GDPR and other DSM measures, with the 
exception of the Geoblocking Regulation, which is the most IoT-friendly, at least 
from this standpoint. Indeed, it applies to activities regarding both services and 
goods,” the latter being defined as ‘any tangible movable item.’*”? Accordingly, 
Things’ providers and providers of subcomponents are not allowed to fragment 
the DSM and reduce consumer control over their Things by means of unjustified 
geoblocking measures. From the point of view of the goods-services dichotomy, 
the second most IoT-friendly regulation is the GDPR, which applies to the offer- 
ing of goods and services.”** However, there is no GDPR definition of goods; 
therefore, there is no certainty as to whether all Things will fall under this regula- 
tion, although it is likely that they will be regarded either as goods or as services 
or both. In third place, the Free Flow of Non-Personal Data Regulation only refers 
to services and does not mention goods.”*> Nonetheless, it can be argued that this 
regulation applies also to goods, because it applies not only to the processing of 
nonpersonal data provided as a service but also to the processing ‘carried out by 
a natural or legal person residing or having an establishment in the Union for its 
own needs.’*?° This may be interpreted as encompassing also the provision of 
goods. Finally, the least loT-friendly DSM regulation is the Cross-Border Porta- 
bility Regulation, in that it refers only to services and excludes the online sale of 
goods.””’ This is consistent with other recent acts of digital regulation, such as the 
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Digital Content Directive?! and the new Sale of Goods Directive,” that are built 
on the dichotomies between goods-services and hardware-software; they will be 
analysed in Chapter 3. 

In conclusion, the transnational nature of the IoT requires legal approaches that 
strike a balance between the need for cross-border enforcement and the avoid- 
ance of excessive compliance burdens. While the GDPR’s extraterritoriality may 
be excessive, it seems to exemplify a trend in internet governance, as confirmed 
recently by the proposed Artificial Intelligence Act.7° Some of the DSM mea- 
sures appear to be more moderate. The new rules in matters of service portabil- 
ity, geoblocking, and free flow of nonpersonal data may benefit IoT stakeholders 
and consumers. However, they rely on a number of dichotomies, such as online- 
offline, personal-nonpersonal, goods-services, that the IoT has contributed to call 
into question. In this sense, they appear to be already obsolete. 


PART II — THE EU IOT STRATEGY AND A CALL FOR A NON-BINARY 
APPROACH TO IOT REGULATION 


1.4 Some Regulatory and Policy Options for an Interconnected 
World 


The IoT’s sectoral fragmentation, partially standardised complex technologies, 
relational black box, and transnational nature make it difficult for policy- and 
lawmakers to regulate it. In line with current regulatory theory,”*! in this book 
‘regulation’ is construed in a broad sense: as a set of commands, as deliberate state 
influence, and as all forms of social or economic influence. The main focus will 
be on self-regulation, coregulation, and regulation. 

There are several issues in the IoT that require better regulation. The main such 
issues**? are interoperability,”*> the so-called contractual quagmire in which IoT 
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users inadvertently find themselves,”** privacy,?*> security,” market dominance 


and inadequate competition around firms,?*’ insufficient spectrum and internet 
protocol (IP) addresses for devices,”** lack of leadership on industry standards,*° 
responsibility and liability for harm,”“° as well as technical education, appropriate 
regulation, and trust in the security of these systems.4! 

Whilst there is consensus as to the importance of at least some of these issues 
for the IoT to develop in a socially just way,’*” not all the countries and all the 
stakeholders agree on whether or not new regulations should be introduced, 
whether self-regulation may suffice, whether a body with IoT-related regulating 
and lawmaking powers would be needed, and if so, at which level, if national, 
regional, or international.?* 

There is a historical divide between the US and the EU about whether and how 
to regulate the internet.?“4 It should come as no surprise that the same applies to 
the debate about the regulation of the IoT, although in recent years the EU seems 
to be increasingly fascinated by the North-American preference for nonbinding 
instruments that go by the name of ‘soft laws.’ For the purposes of this book, ‘soft 
law’ means ‘[rJules of conduct which, in principle, have no legally binding force 
but which nevertheless may have practical effects.” In this sense, the next sec- 
tion will deal with the soft laws on the IoT, as encompassing policy documents, 
self-regulation (e.g. industry codes of conduct), techno-regulation (code as law 
and law by design), and research funding. 


1.4.1 Of Market-Led Self-Regulation, Soft Laws, Code, and Other 
Unsatisfactory Ways (Not) to Regulate the IoT 


In November 2013, the US Federal Trade Commission (FTC) held a multistake- 
holder workshop on The Internet of Things: Privacy and Security in a Connected 
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World.” The main perceived risks were unauthorised access and misuse of per- 
sonal information, the potential for consumer-interfacing Things to facilitate 
attacks on other systems, and personal safety. However, the FTC reiterated the 
evergreen American idea that legislation stifles innovation.” This mantra has 
been blindly espoused by the UK government, which launched the Plan for Digi- 
tal Regulation in July 2021. There, the government is adamant that deregulation 
and self-regulation are the way forward to promote innovation as ‘[p]olicymakers 
must back innovation wherever they can by removing unnecessary regulation . . . 
and considering non-regulatory measures.’*** In some instances, overregulation 
may be seen as stifling innovation. However, if innovation is not regulated in a 
timely fashion, there is the real risk of ‘cementing of socially undesirable out- 
comes when vested interests are left too long unchecked.’””” Indeed, the win- 
dow of time left in which to consider the manifold challenges of the IoT ‘and to 
articulate a meaningful response to them . . . is closing.’*°° This does not seem to 
preoccupy the FTC that reaches the perhaps deterministic, albeit back then argu- 
able, conclusion that ‘IoT-specific legislation at this stage would be premature.’>! 
The FTC nonetheless recommended that, in more sensitive areas, existing laws 
be strengthened. In particular, the FTC ambitiously called on Congress to enact 
‘strong, flexible, and technology-neutral federal legislation to strengthen its exist- 
ing data security enforcement tools and to provide notification to consumers when 
there is a security breach.’”>* One year later, speaking at an event hosted by the 
Center for Data Innovation,’ many representatives recognised that the US risks 
losing to China and other competitors if they do not update laws that had been 
passed before the time of videocassette recorders.”>*+ However, the concern ‘not to 
snuff any of this great innovation out’? by means of strict security and privacy 
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laws seemed to prevail. Regrettably, these concerns prevented any meaningful 
regulation of the IoT, and the US is still one of the few countries without compre- 
hensive and modern privacy and security laws, let alone IoT-aware laws. 

In line with its market-oriented tradition, the FTC seemed more favourable to 
self-regulating the IoT?** rather than ‘hard’ solutions. This line seems to be pre- 
vailing. Currently, ‘the regulation of the IoT is mainly based on self-regulation 
through business standards,’?>’ such as GS1’s*** Electronic Product Code and the 
relevant standards,?™ which rest on concepts that are common in traditional regu- 
lations, such as consumer notice and consumer education. 

For once, the EU pioneered this approach and favoured a ‘soft’ approach. This 
will be illustrated by reference to: 


(1) The European research funding agenda; 

(2) The launch of a Commission-backed IoT alliance; 

(3) The attempt of impressing European values on the IoT; 
(4) Ethical IoT; and 

(5) Regulation by design. 


First, a nonbinding way to indirectly regulate the IoT is through funding of research 
and innovation. Indeed, one can posit that shaping the research agenda can affect 
the stakeholders’ behaviour as profoundly as actual regulations.”® As noted by the 
US National Institute of Standards and Technology (NIST), the chief incentivis- 
ing mode to regulate new technologies is the offer of research and development 
funding to help companies securely adopt new technologies.”°! 

The first EU-coordinated effort to support IoT research was the European 
Research Cluster on the Internet of Things (IERC}® that groups EU-funded proj- 
ects*® aimed at defining ‘a common vision and the IoT technology and development 
research challenges at the European level in the view of global development.’ 
Launched in 2010, IERC’s vision is to support an open, vibrant, and innovative IoT 
ecosystem ‘which brings together the research community with the private sector 
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companies and the end-users.’2°° One of the main outputs of this research has been 
the so-called cluster study.”° The latter mapped IoT innovation clusters in the EU 
and identified four types of clusters: geographical, virtual, thematic, and institu- 
tionalised. The study recommended that the European Commission intervene in 
four strategic areas: the identification of IoT risks, the development of standards, 
the creation of EU-wide communities through support to technology development, 
transfer, and platforms, and finally, the development of IoT ecosystems.** So far, 
not much, if anything, seems to have followed from these recommendations in 
terms of actions and policies. 

Another coordinated effort to regulate the IoT through research funding has 
been the IoT European Platform Initiative (IoT-EPI), which was launched in 2016 
to promote open and accessible IoT platforms through projects funded by the 
Horizon 2020 Programme.”® In order to achieve a vibrant and sustainable IoT 
ecosystem, the Commission funded seven projects that were seen as maximis- 
ing the opportunities for platform development, interoperability, and information 
sharing.”® Most notably, IoT-EPI comprises: 


(1) Inter-IoT, aiming at designing an open, cross-layer framework, an associ- 
ated methodology, and tools to enable voluntary interoperability among het- 
erogeneous IoT platforms; 

(ii) BIG IoT, addressing the interoperability gap by defining a generic, unified 
web application programming interface (API) for Thing platforms; 

(iii) AGILE, which builds a modular and adaptive gateway for Things; 

(iv) SymbloTe, with the goal of devising an interoperability framework across 
existing and future IoT platforms; 

(v) TagItSmart!, having at its core the Smart Tag, which is a context-sensitive, 
printable QR code to convey life cycle information about mass-market 
Things; 

(vi) VICINITY, a platform and ecosystem that provides ‘interoperability as a 
service’ for IoT infrastructures; and 

(vii) bloTope, which intends to overcome the vertical silos problem?” by build- 
ing a platform that enables companies to easily create new IoT systems. 


Like IERC, IoT-EPI confirms that private stakeholders are at the heart of the EU 
IoT strategy. Indeed, the initiative is marketed as having a partner network of 
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120 established companies and organisations, and the funding calls are open for 
‘SMEs, startups, companies,’”’! and, last and least of all, research centres or uni- 
versities. The influence of private, usually corporate, stakeholder in shaping the 
EU research agenda is akin to an informal — and rather opaque — form of coregula- 
tion of the IoT. More transparent coregulatory initiatives will be presented later 
in this chapter. 

Second, in March 2015, the European Commission launched the Alliance for 
Internet of Things Innovation (AIOTI), to support the creation of ‘an innova- 
tive and industry driven European Internet of Things ecosystem. ’?? This led to 
some noteworthy work about standardisation and policy, including the IoT LSP 
Standard Framework Concepts,’ the IoT High Level Architecture,” and the 
AIOTI Position on Cybersecurity Act.?”> The former constitutes the alliance’s 
main effort, and it has the aim to present the global dynamics and landscapes 
of standard-developing organisations and open-source software initiatives with 
ultimate goal of: 


(i) Leveraging existing IoT standardisation, industry promotion, and implemen- 
tation of standards and protocols; 
(ii) Providing input for large-scale pilot standards framework and gap analysis; 
and 
(iii) Presenting guidelines for the proponents of future project proposals associ- 
ated with IoT-related calls financed by the EU.*”° 


Whilst AIOTI has become an important IoT stakeholder in its own right and may 
play a crucial role in the development of a European IoT ecosystem, its mis- 
sion currently seems far from being accomplished. Indeed, its work may lay the 
foundations for future standardisation initiatives and other soft laws, but it has 
not led, in itself, to proper standards. Nonetheless, AIOTI has been carrying out 
praiseworthy work in identifying standardisation gaps, which include operational 
strategies, such as deployment and its scalability, software update, sustainability 
and green technologies, and usability.?”” 

Third, one year after the setting up of AIOTI, in the context of the Digitis- 
ing European Industry initiative,?”* the European Commission published its main 
IoT-focused soft law instrument: Advancing the Internet of Things in Europe.” 
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This Commission Staff Working Document specify the EU’s IoT vision as based 
on a single market for the IoT, a thriving IoT ecosystem, and a human-centred 
IoT approach. First, the idea of an IoT single market translates into the commit- 
ment to make sure that Things can connect seamlessly and on a plug-and-play 
basis anywhere in the EU and scale up across borders.’ Second, in order to 
achieve a thriving IoT ecosystem, open platforms used across vertical silos will 
help communities of developers to innovate and IoT deployments in selected lead 
markets will be supported.?®! Third, the Commission expressed the belief that 
Things must ‘respect European values, empowering people along with machines 
and businesses, thanks to high standards for the protection of personal data and 
security, visible notably through a “Trusted IoT” label.’?®? This is problematic for 
four reasons: 


(1) It is unlikely that consensus will be reached as to what exactly constitutes a 
‘European value’ and, subsequently, to learn how to translate it into machine- 
readable commands.”* 

(ii) Since Things are designed for international (including extra-EU) mobility, 
the idea that a user in India should interact with Things embodying so-called 
European values may count as neocolonial digital imperialism. This trait was 
inherited by internet regulation more generally.**4 Indeed, benign efforts to 
wire the world ‘in the name of an ostensibly universal/cosmopolitan vision 
of electronic democracy . . . emerge as a form of “computer-mediated colo- 
nization”, i.e., an imposition of a specific set of cultural values and commu- 
nicative preferences upon diverse cultures. ’?85 

(iii) The suggestion that we should be ‘empowering people along with machines 
and businesses’ implies that machines need to be empowered and that peo- 
ple are on an equal footing with machines. One would have thought that 
machines need to be powered, people empowered. That phrase may perhaps 
be seen as a result of the regrettable anthropomorphism that increasingly 
characterises machines.?*° 
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(iv) The ‘Trusted IoT’ label, as a demonstration of compliance to the Network 
Information Security (NIS) Directive’s requirements,”*’ may be useful, 
although it must be kept in mind that labelling has often failed to achieve its 
objectives.7%° 


Fourth, one of the clearest — and most concerning — recent trends in internet gov- 
ernance is the ethical turn, as shown by the increasing reliance on ethics charters 
and value-sensitive design to complement or even replace legislation and over- 
sight.” While most ethical initiatives are not binding and can be criticised for 
this reason as they can do little to change corporate behaviour, a recent trend in 
internet governance is the enshrining of ethics into binding instruments. This can 
be seen most clearly in the field of AI, where the proposed Artificial Intelligence 
Act is the result of the commitment by the European Commission president to put 
forward ‘legislative proposals for a coordinated European approach to the human 
and ethical implications of AI??? Published in April 2021, the proposed act can 
be regarded as the legislative codification of the Ethics Guidelines for Trustwor- 
thy AI.°' The use of binding ethical instruments is open to criticism for many 
reasons. For the purposes of this section, suffice it to note that the unification of 
law and ethics is worrying from a historical perspective. Indeed, this unification 
served the Nazi jurists as a means of extending the authority and power of the 
state to the control of personal convictions.”°* Nazi law was based on the higher 
law of a declared Germanic sense of justice, which ended up liberating the judge 
from the ‘inflexible framework of the law.’2?> Ultimately, as Hans Kelsen argued 
in General Theory of Law and State, if only ‘just’ law is law, legal systems are all 
morally justified.?°* Needless to say, the intentions underpinning the idea of legis- 
lating on ethical AI do not share anything with the intentions of Nazi lawmakers. 
Nonetheless, we should all be aware of the dangers of governing new technolo- 
gies by transforming ethics into law. 
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Most manifestations of the ethical turn in technology governance are not bind- 
ing. Ethical charters and manifestos abound in the field of the IoT. For example, 
researchers at ThingsCon,”” a collective that promotes development of respon- 
sible IoT, have mapped around thirty ‘ethical IoT’ initiatives, such as the Arduino 
IoT Manifesto,” the Everyware Principles,’ and the IoT Bill of Rights.?°* The 
use of ethics to “regulate” the IoT can be criticised for a number of reasons,” 
but for the purposes of this book, one need only focus on the fact that ethics 
has been weaponised ‘in support of deregulation, self-regulation or hands-off 
governance.’3°° In this sense, ‘ethics washing’ acts as an ideological rhetoric 
device that lacks the strength of law and brings confusion to the regulatory dis- 
course rather than solutions. However, the condemnation of ethics washing has 
led to a form of ‘ethics bashing,’ that is, ‘the trivialization of ethics and moral 
philosophy now understood as discrete tools or pre-formed social structures such 
as ethics boards, self-governance schemes or stakeholder groups.’*"! If ethics is 
used to complement regulation and not as a substitute, and if it takes the form 
of evidence-based participatory best practice rather than vague charters drafted 
with opaque methods, there are reasons to be open to it. One such positive appli- 
cation is the Edinburgh Initiative, i.e. the work of an Action Group on Gover- 
nance and Ethics in assessing the use of a new IoT infrastructure at the University 
of Edinburgh.*” Participatory and involving diverse actors, this initiative was 
underpinned by the belief that ethical precepts can be translated into procedures, 
guidelines, training, reflection, and support, which in turn can be can be used to 
‘augment . . . the application of legal requirements, for example, accountability 
and transparency by means of other instruments that may be more adaptable to 
rapidly changing technologies.’*° In this initiative, ethics was instantiated by: 
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(i) Acity-wide communications network that was ‘as open as possible,’°4 where 
it was possible to access, modify, and experiment with virtually any hardware 
and software component of the network; 

(ii) The shift from consultation via a survey to codesign via focus groups in set- 
ting up — and assessing the privacy impact of — a system to identify unoccu- 
pied desks at the library repurposing student card data. 


Initiatives such as this are praiseworthy, but one can doubt that they can easily be 
exported and applied to other IoT sectors for at least two reasons. First, universi- 
ties have a strong incentive in listening to and engaging with its main stakehold- 
ers, its students, on whose satisfaction the financial sustainability of the institution 
depends. Chapter 2 will present a hierarchy of incentives that shows how IoT 
companies will not adopt fair data practices unless they have strong incentives, 
either in terms of public exposure or in terms of financial pressure. Second, uni- 
versities have a tradition in research ethics and can source in-house the expertise 
that may be necessary for the evaluation of its own practices.** The same cannot 
be said for most commercial IoT applications. The Edinburgh initiative is also a 
reminder that the many instances of the ethical turn are ‘often very siloed, when 
IoT is always a cross-cutting endeavour, with decisions about hardware, software, 
data, application area and users intertwined.’>°° 

Lastly, the most recent and problematic form of self-regulation is the regulation 
by design.*°’ This is connected to the idea of (binary) code as the law of cyber- 
space, as famously put forward by Lawrence Lessig and his followers.*°* The 
way the internet — and the IoT — is designed (e.g. which content Apple Watch’s 
screen shows us or hides from us) affects us in a way that is similar to the way 
democratically produced laws impact citizens,” despite code being developed in 
an untransparent and undemocratic way.?!? IoT’s code, in particular, being ubiq- 
uitous and hidden in seemingly harmless everyday objects, has the potential to 
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regulate the citizens’ behaviour in unforeseeable ways. It may sound like a stretch 
to argue that the idea of technologically regulating through Things was written in 
cyberspace’s DNA; however, it is a fact that ‘cyberspace’ comes from ‘cybernet- 
ics,’ which comes from kybernetikeé téchne, the art of control at a distance through 
devices.*!! Cybernetics was coined by Norbert Weiner in 1948 to refer to the sci- 
entific study of control and communication in the animal and the machine.?!* 
And control — or regulation by code (or by design) — at a distance through Things 
is what is happening with the IoT, where private companies seek to ‘promote 
techno-regulation through design, algorithms and market-based contracts.’3!3 

The relationship between self-regulation and code is relevant for at least two 
reasons. First, the possibility of self-governance depends on architectural fea- 
tures of the internet, and these are not always developed in democracy-supporting 
ways.*'4 Second, companies are increasingly expected to operate self-restraint ‘by 
design.’ This is perhaps best exemplified by the ‘data protection by design’ obli- 
gation under GDPR and by the UK government’s Code of Practice for Consumer 
ToT Security3!> 

The former requires data controllers to implement technical and organisational 
measures that embed data protection principles from the outset, i.e. from the con- 
ception and design of a product or service,*!° Things included. This would mean, 
for example, that if the Thing contains cameras, these should not be hidden in 
order to prevent the Thing from becoming a means of covert surveillance.*!” ‘Data 
protection by design’ has its roots in the ‘privacy by design’>!* approach, which 
was entirely voluntary. With the GDPR, it has become a binding obligation and 
could be regarded as a form of coregulation, where the lawmaker sets forth the 
high-level principles and the data controllers transform them into design rules. 

The ‘by design’ trend, however, goes beyond data protection, and most of it 
still qualifies as a form of self-regulation. The Code of Practice for Consumer IoT 
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Security, based on the Secure by Design report,*!° is a prime example of this type. 
This code sets out steps for loT manufacturers and other stakeholders to improve 
the security of consumer-interfacing Things by implementing thirteen guidelines, 
including no default passwords and minimisation of exposed attack surfaces.*”° 
The fact that many Things are sold with universal default usernames and pass- 
words leads to serious security issues; therefore, the requirement to sell Things 
with unique passwords is a positive move.*”! As to the minimisation of exposed 
attack surfaces, Things should operate on the ‘principle of least privilege’ ;*?? 
therefore, unused ports shall be closed, hardware shall not unnecessarily expose 
access, services shall not be available if not used, and code shall be minimised to 
the functionality necessary for the Thing to work.*” At its core, the Code of Prac- 
tice is a traditional self-regulatory ‘soft’ measure in that it is ‘outcome-focused, 
rather than prescriptive, giving organisations the flexibility to innovate and imple- 
ment security solutions appropriate for their products.’**4 Whilst the effort may be 
laudable, it is peculiar to leave this to private companies’ goodwill, as the security 
of Things ‘is now as important as the physical security of our homes. 3? The same 
can be said for the first globally applicable standard for consumer IoT security, 
released by the European Telecommunications Standards Institute in February 
2019.3% It includes provisions storage of security-sensitive data, software integ- 
rity, and system resilience.’ Such important things should not be left to the dis- 
cretion of private corporations. 

As IoT companies use design/code to regulate us, it makes sense to ‘regulate’ 
them through design/code. However, the idea that technology will resolve the 
problems created by technology is excessively optimistic. There are grounds for 
scepticism when technological design is presented as the solution to human rights 
problems; in this sense, regulation by design can be regarded as antagonistic to 
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actual regulation.*** Regulation by design suffers from a legitimacy gap. Indeed, 
as Langdon Winner?” argued already in 1980, technologies embody power rela- 
tions, and their design is an insufficiently democratic activity. The design of new 
technologies ‘is so thoroughly biased . . . that it regularly produces results heralded 
as wonderful breakthroughs by some social interests and crushing setbacks by 
others,’**° which is a strong argument for more participatory methodologies?! — 
what is usually missing both in the ethical turn and in regulation by design. Whilst 
refusing techno-solutionism, this book has been written on the assumption that 
‘by design’ solutions can and should complement — though never replace — more 
traditional, ‘hard’ regulatory responses. 

Self-regulation and, more generally, soft initiatives have the benefit of being 
more flexible than traditional top-down regulation and to follow the principle 
of subsidiarity.*7* Under this principle, a central authority or a transgovernmen- 
tal network has a subsidiary function in handling only those tasks that cannot 
be handled by the self-regulatory authority.**? Self-regulation and minimal state 
involvement have been seen as more efficient in dynamic, innovative industries.>*4 
However, the question is inherently political and at least five arguments can be 
made against a soft approach to IoT regulation. First, letting the (binary) code 
regulate itself means assuming absolute technological neutrality, but technology’s 
social impact cannot be regarded as neutral.**> Second, the internet is character- 
ised by economies of scale and network effects that have led to noncompetitive 
markets.**° The failures of antitrust jurisprudence in addressing patent abuses are 
a good illustration of this issue and will be analysed in Chapter 6. Third, there is 
a democratic argument to regulate, since voters may ‘not allow governments to 
ignore the social impact of this ubiquitous medium.’**” Fourth, it is in the nature of 
self-regulation to be nonbinding; indeed, it can act only as a form of moral suasion 
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and when certain conditions occur, such as sanctions under contract or associa- 
tion rules.**® The flexibility of soft laws and self-regulation should not be the 
dominant factor in making decisions about regulation.**° Indeed, this ideological 
stance causes ‘regulatory inertia’>“° and ‘legal procrastination’**! that are difficult 
to break without a substantial and public failure.*4* Indeed, as IoT companies 
increasingly adopt business models based on big data and on the use of Things 
to further their marketing activities, ‘their resistance to subsequent restriction of 
these activities will increase.’>43 Finally, even more radically, it can be argued that 
self-regulation is not actual regulation. Indeed, a commonly accepted definition 
of ‘regulation’ is ‘the sustained and focussed attempt to alter the behaviour of 
others according to standards or goals with the intention of producing a broadly 
identified outcome or outcomes, which may involve mechanisms of standard- 
setting, information-gathering and behaviour modification.’*4 By definition, self- 
regulation cannot alter the behaviour of others as it is self-directed. Therefore, if 
we want IoT companies to act differently, external stimuli are needed. 

Especially in markets where big tech such as Google, Apple, Facebook, and 
Amazon (GAFA) — and its Chinese counterparts, Baidu, Alibaba, Tencent, and 
Xiaomi (BATX) — dominate and have little or no incentives to self-restrict their 
behaviour, the argument can be put forward that hard laws are more suitable than 
soft laws. The need to regulate the behaviour of GAFA and BATX is a com- 
mon thread in recent debates about how to counter illegal content online*#> and 
whether to ‘break’ these companies, since fines do not exert any meaningful 
deterrence function.**° For example, in United States v. Facebook,” Facebook 
settled**8 with the FTC a number of privacy violations. Under the settlement, the 
social networking site will have to pay a record $5bn fine for data mishandling. 
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However, Facebook reacted by immediately posting a $2.6bn profit, which led to 
a 3% rebound of its stocks.*4? Whilst this rise may be explained with the fact that 
the settlement would extinguish more than 26,000 consumer complaints against 
Facebook pending at the FTC,’® it is not unreasonable to see this as the confirma- 
tion that thinking to regulate big tech by means of fines is not a winning strategy. 

Consumers’ choices are increasingly determined by the products and the infor- 
mation that GAFA and BATX show on the ‘digital shelf’ (e.g. Amazon’s Buy 
Box).**! With the IoT, this shelf is becoming smaller and smaller. Therefore, regu- 
lators should ask themselves new questions and think of new strategies to deal 
with abuses of power by IoT corporations. A good starting point would be to 
reflect on whether control over the design of the web and the underlying algo- 
rithms that attempt to monopolise our attention has become ‘the latest tool in the 
landlord’s toolbox.’**? It would be naive to leave the regulation of the IoT to the 
market; indeed, GAFA, BATX, and other digital landlords that use algorithms 
and web design as the tools of a new enclosure tend to seek monopolistic rents 
and maximise profit at the expenses of smaller businesses and society at large. 
Schumpeter believed that technological innovation could cause a reduction in 
wealth and rent inequalities through powerful destruction.’ However, he him- 
self acknowledged that this innovation often leads to temporary rents, which can, 
over time, become traditional monopolistic rents.*>4 Relying on the invisible hand 
of market to achieve the best good of all, without government interference, is a 
political choice that is no longer sustainable.*>> 

In a context of IoT innovation dominated by few rent-seeking and fine-immune 
multinationals, transnational hard laws should be part of the regulatory strategy. 
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1.4.2 The EU Hard Law Approach to the IoT: The Case Study of the 
European Electronic Communications Code between Spectrum 
Management, Over-the-Top Services, High-Speed Connectivity, 
and Numbering 


While in principle top-down hard laws appear to be a suitable solution, much will 
depend on the method and the content. These laws should not be IoT-specific, 
rather ‘IoT-aware,’ i.e. they must be wary of how the IoT has changed our every- 
day life and challenged traditional concepts and binaries on which old laws still 
rest. Some examples of IoT-relevant, albeit only partly, loT-aware top-down regu- 
lation have already been presented and fall under the DSM strategy. Whilst the 
new Sale of Goods Directive and Digital Content Directive will be analysed in 
Chapter 3, to complete the picture of EU IoT-related hard laws, one needs to men- 
tion the review of telecoms rules. In this context, the European Commission: 


(1) Proposed that by 2025 the main providers of public services and digitally 
intensive enterprises shall have access to internet connections with 1GB/s 
speed;356 

(ii) Set out a coregulatory framework for member states and industry to cooper- 
ate in the development of 5G wireless technologies;357 


(iii) Supported public entities to offer free Wi-Fi? 


The heart of the reform of telecommunications, however, is the European Elec- 
tronic Communications Code (EECC),**? which was due to be transposed by 
December 2020, but 24 member states missed the deadline, which led the Euro- 
pean Commission to open infringement proceedings in February 2021.°°! 

The EECC sets EU-wide objectives and harmonised rules on how the telecom 
industry should be regulated,*© with notable new provisions about spectrum man- 
agement, over-the-top (OTT) or over-the-air services, high-speed connectivity, 
and numbering. 
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Some telecoms-related issues in the IoT are linked to the capacity to handle a 
huge amount of highly diverse Things*® and the need to securely identify them, 
as well as being able to discover them so that they can be plugged into IoT sys- 
tems.** Therefore, an open and interoperable IoT numbering space for a univer- 
sal Thing identification and an open system for Thing authentication become 
vital.3°° The EECC provides a partial answer to these problems, in particular with 
regards to some aspects of numbering. 

The background of the code is that, as a consequence of fragmentation in tele- 
coms laws, the EU was lagging behind the US, as exemplified by a three-year 
delay in the rollout of 4G technologies.* To avoid that, the European Commis- 
sion recognised that the regulation of 5G technologies could not be treated as a 
purely domestic matter,*©’ and it goes without saying that the prompt and coordi- 
nated 5G rollout is pivotal to the IoT, in light of the transnational and high-speed 
mobile connectivity-hungry nature of Things. 

By 2025, in Europe, there will be 25 billion IoT connection.*°* Since these con- 
nections are mostly wireless, to accommodate the resulting traffic between Things, 
the amount of available spectrum will have to be increased,*® shared more effec- 
tively, and underutilization will have to be avoided.*”” The code aims to stimu- 
late investments throughout the EU through the release of spectrum frequencies 
on the same technical conditions, as well as long-lasting (20 years) and easy-to- 
renew licenses.*”! The code recommends that radio spectrum management adopts, 
‘where appropriate, a cross-sectorial approach to improve the efficient use of radio 
spectrum. 3”? Thus, it shows to be aware of the importance of spectrum for the IoT, 
and it is fit for the IoT’s sectoral fragmentation. 
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High-speed connectivity is fundamental for the development of the IoT in 
Europe.*” To achieve this, the code offers telecoms operators with significant market 
power,>” reduced price, and access regulation in exchange for investments in high- 
capacity broadband networks.?”> At the same time, national regulatory authorities may 
impose?”° on these operators obligations of transparency,’ nondiscrimination,*”® 
accounting separation*” in relation to interconnection or access, as well as obliga- 
tions relating to cost recovery and price control,**° and to meet reasonable requests 
for access to and use of civil engineering**! and specific network elements.**? 

Finally, the previous telecoms regulatory framework dated back to 2002, when it 
was unthinkable that traditional phone calls and texts would have been replaced by 
so-called OTT voice and instant messaging services such as Skype and Whats App.?3 
The EECC levels the regulatory playing field for OTT services with that of traditional 
telecoms services. To do so, it redefines electronic communications services — and 
hence the scope of telecoms regulations — not based on technical parameters but by 
taking a functional approach. Indeed, it recognises that traditional voice telephony, 
SMS, and email conveyance services are “functionally equivalent (to) online services 
such as Voice over IP, messaging services and web-based e-mail services.’?*+ Accord- 
ingly, the new definition of electronic communications*® service refers — and the rel- 
evant regulations apply — to three partly overlapping types of services: 


(1) Internet access services. This is not a new concept and refers to ‘a pub- 
licly available electronic communications service that provides access to the 
internet, and thereby connectivity to virtually all end points of the internet, 
irrespective of the network technology and terminal equipment used.’*° 
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(11) Interpersonal communications services. This is a concept introduced by the 
code that defines them as ‘services that enable interpersonal and interactive 
exchange of information . . . between a finite . . . number of natural persons, 
which is determined by the sender of the communication.’*’ This includes 
services like traditional voice calls between two individuals but also all types 
of emails, messaging services, or group chat. It should be noted that many 
IoT communications can be qualified as number-independent interpersonal 
communications, and these are subject to the code’s obligations ‘only where 
public interests require that specific regulatory obligations apply to all types 
of interpersonal communications services, regardless of whether they use 
numbers for the provision of their service. 388 

(iii) Services consisting wholly of or mainly in the conveyance of signals. 
These include transmission services used for the provision of M2M services 
and for broadcasting. 


389 


This reform has led to a change in scope for all the regulations regarding electronic 
communications services that henceforth will apply to both OTT and ‘traditional’ 
services. The code may prima facie be interpreted as narrowing the definition of 
electronic communications services by limiting them to those that are ‘normally 
provided for remuneration,” which may be seen as excluding all those IoT ser- 
vices that are paid by means of personal data.*?! For example, one can call through 
Amazon Echo without any pecuniary exchange. However, the reference to the 
remunerations is a merely ostensible limitation, because the preamble??? of the 
code clarifies that ‘remuneration’ encompasses situations where: 


(i) The provider of a service requests and the end user knowingly provides per- 
sonal data or other data directly or indirectly to the provider; 

(ii) The end user allows access to information without actively supplying it, such 
as personal data, including the IP address, or other automatically generated 
information, such as information collected and transmitted by a cookie; 
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(iii) The end user is exposed to advertisements as a condition for gaining access 
to the service or situations in which the service provider monetises personal 
data it has collected.*” 


The broader scope resulting from the code’s new definition will affect not only 
telecoms regulations but also all the other regulations that refer to the telecoms 
framework to define ‘electronic communications services.’ Most notably, these 
include the ePrivacy Directive,** with an option confirmed in the Draft ePrivacy 
Regulation.**> From an IoT perspective, a regulation framework such as this, that 
is technologically agnostic yet technologically aware, thus not resting upon out- 
of-date distinctions, is a positive endeavour. 

The identification of Things is necessary for a number of reasons, from allowing 
the communication itself to competition and law enforcement purposes. To this 
end, numbering can play a key role.**° Under the EECC, member states should be 
able to grant rights of use for numbering resources to businesses other than provid- 
ers of electronic communications networks or services ‘in light of the increasing 
relevance of numbers for various Internet of Things services.” Numbering plans 
remain managed by national authorities, but the code recognises that there may be 
the need for EU harmonisation of numbering resources to support ‘new machine- 
to-machine-based services such as connected cars,’ in which case the Commis- 
sion can take implementing measures with the assistance of the Board of European 
Regulators for Electronic Communications (BEREC). Nonetheless, BEREC rather 
surprisingly concluded that the scarcity of traditional numbers (so-called E.164) 
is merely alleged, and it would not constitute a barrier to the development of the 
IoT.5% Should numbering become an issue, the reasoning goes, it would have to be 
solved by national authorities, e.g. by introducing a new numbering range for IoT 
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services or increasing the mobile number resources.*” In light of the transnational 
nature of the IoT, EU full harmonisation would be preferable. 

Traditional regulation is far from perfect. Indeed, it has sometimes led to overreg- 
ulation and forms of censorship.*°! Moreover, it has allowed industry stakeholders 
to lobby regulators in an opaque way; this has affected the resulting regulations*” 
and sometimes led to the failure to adopt any legislation.“ For example, in Decem- 
ber 2020, a leaked document showed that Amazon endeavoured to ‘kill’ the reform 
of the ePrivacy Directive by pitting the EU institutions against each other.4 Addi- 
tionally, private stakeholders that are not collectively organised or do not have the 
means to lobby (e.g. IoT users) have limited or no influence on regulation, despite 
being often profoundly affected by it.4° Although these arguments have some merit, 
there are good reasons to rely on actual laws rather than soft laws. 

The legitimacy of hard laws and top-down regulation rests on a positive argu- 
ment, as well as on a negative one. On the one hand, only states — and, to some 
extent, supranational institutions such as the EU*° — are democratically elected 
and, therefore, have legitimacy to regulate such a pervasive and impactful socio- 
technological phenomenon. On the other hand, self-regulation, including ethical 
charters and code, lack constitutional checks and balances for private citizens.” 
It is fair to say that the regulation of the IoT should encompass top-down and 
self-regulation, hard and soft laws — the crucial point will be to find the right 
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mix of the two. And to include all those hybrid initiatives that go by the name of 
coregulation. 


1.5 Overcoming Regulatory Binaries, Coregulation, 
and Supervisory Authority 


The main regulatory options explored for the IoT exist within a continuum from 
regulation to self-regulation.*°° Whereas the regulatory discourse is often pola- 
rised, non-binary approaches are possible, and on the face of it, this would be 
suitable for a non-binary phenomenon like the IoT. Between self-regulation — 
flexible but opaque and not binding — and regulation — binding but accused to sti- 
fle innovation — there is a variety of initiatives known as ‘coregulation.’ There is 
no agreed definition of coregulation, but most studies refer the term to those situa- 
tions where ‘the State and the private regulators co-operate in joint institutions. ’4°° 
In this chapter, coregulation is understood broadly as including the so-called 
middle-out approach, i.e. all the models that sit between top-down and bottom- 
up regulation, such as ‘monitored self-regulation, coordination mechanisms for 
good AI governance, and “‘wind-rose” models for the Web of Data.’4!° Coregula- 
tion seems to cope well with increasingly complex technological challenges, as 
it accommodates ‘the uncertainties of innovation, imposing society’s preferences 
on emerging innovation, while allowing us to capture expanding understanding of 
technological challenges with increasing regulatory granularity. ’4"! 

The incoming tide of internet coregulation should be read in the context of 
the increasing use of cost-benefit analysis in selecting and articulating regula- 
tory initiatives.*!* Cost-benefit analysis counters pure self-regulation. Indeed, 
coregulation can protect democratic processes from interest groups that are press- 
ing for a type of regulation despite the argument to support it being fragile.*!3 It 
is not unreasonable to say that stakeholders should have some influence on the 
regulation that will affect them, but internet self-regulation does not provide suf- 
ficient incentives to shape big tech’s behaviour and leaves out small and medium 
enterprises, including microenterprises, as well as excluding civil society. The 
latter exclusion constitutes a strong argument in favour of formally inclusive 
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multistakeholder coregulation, which has been considered ‘the best chance to rec- 
oncile market failures and constitutional legitimacy failures in self-regulation.’4"4 

Interestingly, the first proper attempt to regulate the IoT in the EU can be seen 
as a form of coregulation. In May 2009, the European Commission recommended 
that industry should develop a framework for privacy impact assessments (PIA) 
of RFID applications.*!> However, unlike the US, this framework would have to 
be approved by the Article 29 Working Party, then the EU privacy advisory body, 
now replaced by the European Data Protection Board. Such industry-led frame- 
work approved by a public law body well illustrates coregulation.*'® In July 2009, 
an informal ‘RFID workgroup’ led by industry representatives, began working on 
the definition of a PIA Framework, through regular meetings with stakeholders, 
including consumer groups, standardisation bodies, and scholars.*!” The first ver- 
sion of the framework was not endorsed for the lack of a proper risk assessment 
procedure and a number of issues, including the fact that the submission did not 
address ‘issues that could arise when tags are carried by individuals in everyday 
life.’*!8 The Article 29 Working Party was being prescient, if one considers how 
the shift from RFID tags to the IoT has meant a proliferation of tracking devices 
in our everyday life. In 2011, a revised version was approved,*!° with the purpose 
of helping RFID operators ‘uncover the privacy risks associated with an RFID 
Application, assess their likelihood, and document the steps taken to address 
those risks’? The framework goes beyond RFID tags to encompass back-end 
systems and networked communication infrastructures;**! therefore, it could be 
adapted to more modern and complex IoT systems using RFID technologies. The 
PIA Framework played an important role in the development of future initiatives, 
such as the IoT Cluster and AIOTI. 

An option that can be loosely regarded as coregulation, although it straddles 
the coregulation-self-regulation line, is the so-called playground, nowadays more 
commonly called regulatory sandbox, especially in the fintech world.*”” The play- 
ground, or sandbox, is a framework set up by a regulator to ‘allow small scale, live 
testing of innovations by private firms in a controlled environment (operating under 
a special exemption, allowance, or other limited, time-bound exception) under the 
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regulator’s supervision.’*”? In November 2020, the Council of the EU called on the 
Commission to consider regulatory sandboxes as a tool for an innovation-friendly, 
future-proof, sustainable, and resilient EU regulatory framework.“ As noted by the 
associate director of Cyber-Physical Systems Program at NIST,*”> it could be pos- 
sible to move away from the carrot-or-stick mode when it comes to internet regu- 
lation, and NIST is working to create a regulatory playground through the Global 
Cities Challenge programme.*”® The latter allows IoT players to work directly with 
local governments to test Things in the real world. In particular, it encourages local 
governments, not-for-profit organizations, academic institutions, technologists, and 
corporations from all over the world to form project teams to work on groundbreak- 
ing IoT applications within the city and community environment.” NIST, which 
is an agency of the US Department of Commerce, is to be praised for the initiative 
in that it allows meaningful public-private collaboration and oversight in a field 
that has not reached maturity. However, the more the IoT grows in complexity and 
pervasiveness, the more it becomes apparent that it is no longer time for playing 
with sandboxes. 

Whilst stakeholder participation is important, it can be argued that consulta- 
tions could be a sufficient tool to that end and that the case for having private 
parties (co)dictating the rules that should constrain them has not been done with 
sufficient strength. Even the direct involvement of civil society, and other weak 
actors, has raised significant questions as to the effectiveness, accountability, and 
legitimacy in representing the public interest.*?8 

The fact that current laws are not always or entirely fit for the IoT, the unen- 
forceability of self-regulation, and the insufficiency of coregulation led some 
scholars to argue that a new legal framework must be set up ‘in order to allow 
for an effective introduction of the new information architecture (of the IoT) and 
therewith protect the developing new services, while ensuring a high level 
of cybersecurity, data protection, privacy, and competition.*#7° Many believe that 
institutionalised control mechanisms aimed at policy coordination across sectors, 
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regions, and areas is needed.**! This would be coherent with the inherently frag- 
mented and non-binary nature of the IoT. 

There is no agreement, however, on which institution should have a supervisory 
role in the IoT. Some see the European Commission as the natural holder of the 
relative powers,*** and this would serve the purpose of strengthening an EU vision 
of the IoT. However, such a solution would ignore the genuinely global nature of 
the IoT, and it would provide stakeholders with opaque means to influence the 
process. Accordingly, others believe that an ad hoc nongovernmental international 
organisation would be a better fit for the role of IoT supervisory authority.* The 
latter would be composed of a ‘mixture of governmental officials, representative 
of private sector and scholars.’4** This option has been seen as more suitable, given 
that academic research could provide a sound empirical basis for the new body’s 
actions and that ‘the IoT is mainly used by private entities.’*> This argument is 
open to a twofold criticism. First, public entities are increasingly part of the IoT 
world, as exemplified by the smart cities phenomenon.**° Second, gun manufactur- 
ers are mostly private companies, but it does not mean that they get to supervise 
themselves.*?” 

More generally, an ad hoc international authority would be cumbersome to set 
up; accordingly, the task could be given to an existing organisation, e.g. the World 
Trade Organization (WTO) or the Organization for Economic Co-operation and 
Development (OECD).*** This solution would have a more rapid implementation, 
provided that the parties could agree on giving more resources (e.g. specialised 
staff) to the relevant body. The proposal has been criticised because private stake- 
holders cannot be elected to WTO and OECD committees.**? Whilst for the afore- 
mentioned reasons the exclusion of the industry from the IoT supervisory body 
would not be necessarily negative, the main argument against this solution is that 
the regulation of the IoT would risk being affected by the specific mission of the 
relevant body. For example, a WTO committee as the prospective IoT authority 
would benefit from the enforcement actions ensured by the dispute settlement 
body. However, the resulting regulation would probably be trade-oriented: a focus 
on competition may obliterate other perspectives, e.g. sustainability and human 
rights. 

Arguably, an international and cross-sector coordination between existing regu- 
latory authorities would be an IoT-friendly solution. Italy’s Permanent Committee 
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on M2M Communication could be a best practice that could be scaled up. This 
was set up in 2016 by Italy’s Communications Authority (AGCOM) with the goal 
of ensuring the necessary exchanges between all IoT regulators so that the subse- 
quent policies could be consistent with the other authorities’ activities. Alongside 
AGCOM, whose president chairs the committee, other members are the Electric 
Energy, Gas, and Water Authority (AEEGS)), the Transportation Authority (ART), 
the Digital Italy Agency (AGID), and the Ministry for the Economic Development 
(MISE). Building on this experience, this book invites European and international 
authorities to consider the setting up of an International Regulation Coordina- 
tion Organisation for the IoT (IRCOIOT). This would be along the same lines of 
one of the last brilliant ideas of Giovanni Buttarelli, the European Data Protec- 
tion supervisor who passed away in August 2019. Buttarelli launched the idea 
of a ‘Digital Clearinghouse,’ a voluntary network of regulators involved in the 
enforcement of legal regimes in digital markets, with a focus on data protection, 
consumer, and competition law.“ The European Parliament endorsed the initia- 
tive underlining the importance of deepening regulatory synergies to safeguard 
the rights and interests of individuals.**! More recently, in issuing an opinion on 
online manipulation — rendered easier by the ubiquitous presence of Things*? — 
Buttarelli reiterated the idea that ‘no single regulatory approach will be sufficient 
on its own, and that regulators therefore need to collaborate urgently to tackle not 
only localised abuses but also both the structural distortions.’447 In this vein, as 
of April 2021, the main digital regulators in the UK — Competition and Markets 
Authority, Information Commissioner’s Office, Office of Communications, and 
Financial Conduct Authority — strengthened the coordination between their activi- 
ties by pooling expertise and resources, working more closely together on online 
regulatory matters of mutual importance, and reporting on results annually.4+ The 
main drawbacks of this initiative is its overlooking the global dimension of inter- 
net governance and its having too broad a mandate (the regulation of digital and 
online services). IRCOIOT would learn from these experiences and constitute a 
stable cross-sectoral and cross-border organism entrusted with regulating the IoT 
in a coordinated manner. It could even be initially conceived as a unit within the 
Digital Clearinghouse. 
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1.6 Interim Conclusion 


As noted in the epitaph, it is thanks to the regulatory interventions of the medieval 
guilds that the master could not become a capitalist. The nature itself of the IoT 
calls into question whether it is possible to rein in the power of the IoT overlords. 
Regulating capitalists has always proved arduous for the simple reason that ‘profit 
is the only regulator for capitalist production.’“*° The difficulty is augmented in 
the IoT due to the difficulty of defining it, its sectoral fragmentation, relational 
black box, and global nature. However, this state of things does not justify defeat- 
ist attitudes; conversely, it should push us to find better and more sophisticated 
legal — and nonlegal — solutions to some of the most pressing issues of our time. 

In light of the risks of the IoT — from ubiquitous surveillance to consumer safety — 
fresh evidence is necessary to reassess if existing laws are still fit for purpose, if 
amendments or new laws are needed, and what regulatory strategy can steer the 
development of the IoT in a socially just direction. This book aspires to contribute 
to an evidence-based regulatory discourse. Whilst the case for IoT-specific laws 
has not been made, it does seem that many of the current laws that are relevant 
from an IoT perspectives are not fit for this sociotechnological phenomenon. 
Indeed, they tend to rely on those same dichotomies that the IoT is calling into 
question: online-offline, hardware-software, good-service, personal-nonpersonal. 
IoT-aware legal reforms are needed, and they should include top-down regula- 
tion. We are beyond the hype, and with IoT technologies reaching maturity, it 
does no longer make sense — if it ever did — to argue that regulating would stifle 
innovation. Hard, binding laws seem the most appropriate response to a market 
dominated by few fine-immune, rent-seeking US- and China-based large corpo- 
rations. To regulate the IoT is no easy task. Whilst absolute extraterritoriality — 
such as the one enshrined in the GDPR and the AI Act — can be regarded as an 
excessive measure, more moderate solutions could adopt the model of some DSM 
measures. Coregulation is not to be dismissed, as long as (i) the ultimate respon- 
sibility for the framework rests with the lawmaker, (ii) it does not become the 
vehicle for private actors without democratic legitimacy writing their own rules, 
and (iii) consumers and workers can influence the process on an equal stand with 
IoT companies. In any event, coregulation is by itself insufficient and should be 
part of a wider strategy with hard laws at its core, and self-regulations (especially 
ethics and regulation by design) at its periphery. 

Such an integrated and non-binary strategy is not miles away from what the EU 
is already doing, with a mix of regulations (e.g. on free flow of nonpersonal data), 
coregulation (the PIA Framework on RFID), and self-regulation (e.g. AIOTI and 
its industry-driven IoT ecosystem). The content of these regulations, policies, etc. 
is open to criticism, but the idea of a complex strategy, with a focus on ‘tradi- 
tional’ regulation, is the most suitable for the IoT, although not in itself sufficient. 
Finally, given the global nature of the IoT, the sectoral fragmentation, and the 
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multidisciplinary legal issues thereof, there would be the need for some form of 
international supervision. This should not be played by a specific IoT authority, be 
it ad hoc or within existing organisations. Instead, IRCOIOT is proposed, an Inter- 
national Regulation Coordination Organisation for the IoT, which brings together 
existing horizontal and vertical regulators in a cross-sector and cross-border way. 


2 The Internet of Spying Sex 
Toys, Killer Petrol Stations, and 
Manipulative Toasters: A View 
of Private Ordering from the 
Contractual Quagmire 


Outside contract, the very concepts of subject and will exist only as lifeless 
abstractions in the legal sense. 
Pashukanis, General Theory of Law and Marxism 


2.1 Scope of Chapter and Private Ordering 


This chapter aims to answer the following research subquestion: what are the 
main consumer threats in the IoT based on the analysis of the terms and condi- 
tions of Amazon Echo? To this end, it will map the main consumer issues in the 
IoT and focus on how these are enabled by the fact that IoT companies exploit 
gaps, inadequacies, and obsolescence of existing laws to put in place dubious 
practices of ‘private ordering’. 

Private ordering will be mainly observed through the lens of the contractual 
quagmire, i.e. the instrumental use of contracts to control the Thing and, ulti- 
mately, its user. The contractual quagmire is a core component of private ordering 
that includes other legal, factual, and technical forms of rule-making by private 
stakeholders. This private ordering is the direct or indirect cause of virtually all 
the consumer issues considered in this book, and its contractual species justi- 
fies the empirical qualitative analysis of IoT contracts presented here. Private 
ordering has become a fashionable topic in the studies about digital platforms, 
which are becoming as powerful as states and are accordingly assuming quasi- 
lawmaking powers.' However, private ordering predates the rise of platforms and 
goes beyond them. When it comes to private ordering in the IoT, the starting 
point is that this sociotechnological phenomenon is moving at such a fast pace 
that existing laws struggle to keep up. This leaves ample room for private order- 
ing, which is private companies’ power to unilaterally regulate the IoT taking 
advantage of the lacunae and legacy issues in existing laws and of the slowness of 
the lawmaking process. The private agreements that instantiate private ordering 
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in the IoT can be regarded as eluding the law, but also as a form of response to 
a legislative framework that always (and inevitably) lags behind technological 
developments, often resulting in regulatory voids.” While the focus of this chapter 
is on contractual private ordering, technical private ordering is as problematic. 
The latter’s paradigm is the ability of IoT traders to shape market relationships 
through the use of algorithms and other opaque technologies — Lessig’s code as 
law and Brownsword’s technological management, as seen in the previous chap- 
ter. Regrettably, the details of such ‘technical’ private ordering are kept hidden 
mainly through a combination of trade secrets and technical protection measures. 
As such, there is not sufficient data to attempt to analyse this type of private order- 
ing. Conversely, data on ‘contractual’ private ordering is at least partly publicly 
available. The reference is to the numerous Terms of Service, privacy policies, 
etc. (collectively ‘legals’) that consumers are asked to accept if they want to use a 
Thing. This unilateral imposition is at odds with the principle of autonomy that is 
pivotal to the idea itself of contracts. 
As Hegel put it:? 


Everyone, we are told, makes a contract with the sovereign, and he in turn 
with the subjects... But... the contract . . . originates in the arbitrary will of 
the person . . . in the case of the state, this is different from the outset, for the 
arbitrary will of individuals is not in a position to break away from the state, 
because the individual is already by nature its citizen. 


The essence of a contract is the ‘arbitrary will’ of the contracting party and their 
ability to break away from the contract. It could be said that the relationship 
between IoT companies and their users is reminiscent of the relationship between 
states and citizens, rather than being of a genuinely contractual nature. Indeed, 
in IoT contracting there is no room for the arbitrary will of the IoT users, who 
are forced to accept a cascade of ‘legals’ when using their Things, following an 
increasingly common take-it-or-leave-it approach. In this sense, IoT users can be 
regarded as the subjects of the new ‘smart’ state under the rule of IoT’s big players. 


2.2 A Four-Pronged Methodology 


This chapter adopts a four-pronged methodology. First, a desk-based literature 
review is carried out to map benefits and issues in the IoT. While the perspective 
is a European one, English law is considered in those areas that have not been 
harmonised. The UK has retained most of the EU acquis,’ and although as of 
January 2021 the UK is no longer obliged to comply with EU law, it is likely that 
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it will retain legislative and regulatory convergence with its main commercial 
partner due to the so-called Brussels effect. This research has been carried out 
between Newcastle upon Tyne, Palermo, and Stirling. However, I have not taken 
an Italian law to increase the accessibility of the text, as most readers will not be 
able to access Italian sources. I have not taken a Scots law angle either because 
although some of the topics covered in this book impinge on devolved matters 
(e.g. human rights), the Scotland Act 1998 reserved to the UK Parliament legisla- 
tive competence over internet services, IP, and much consumer protection and 
commercial law.® 

Second, the chapter takes a case study approach and examines the complexity 
of the IoT through the lens of a specific series of products, i.e. the Echo ‘family.’ 
Its components varied over time, but at the time of writing, this series included 
Echo and Echo Plus, the can-shaped, voice-activated, web-connected speak- 
ers produced by Amazon and equipped with speech-controlled virtual assistant 
Alexa; Dot (its smaller and less-powerful version); Show (equipped with a dis- 
play); Spot (alarm clock); Look (style assistant); Input (to bring Alexa to third- 
party speakers); Flex (plug-in speaker); Button (game buzzer); and Wall Clock. 
The terms of service, privacy policies, end user license agreements, etc. of these 
products (hereinafter ‘Echo’s legals’) provide a good case study of IoT complex- 
ity because Echo and Alexa appear to be leading the smart home market.’ To do 
so, the next sections will carry out a text analysis of Echo’s legals. Any documents 
have been accessed in the UK in April 2020 from a desktop computer and an 
Android phone. Such a method was first used in 20168 when, looking at Google 
Nest Thermostat, it was found that for a single seemingly simple Thing, thousands 
of contracts would apply. Shoshana Zuboff underlined how this is a salient and 
worrying feature of surveillance capitalism.’ I have replicated the Google Nest 
experiment to critically assess if the considerations that were made with regards 
to Nest are applicable to Echo, which would suggest their potential for generalisa- 
tion. The choice of this case study is due to the fact that (i) consumer goods are the 
fastest-growing domain in the Fourth Industrial Revolution,!° (ii) the Echo range 
is the clear market leader in the field of home automation,!! (iii) Amazon’s cloud 
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services AWS seem to have become the de facto hidden infrastructure of cloud- 
enabled products and services in Europe,!” and (iv) the use of data by Amazon is 
under increasing public scrutiny, as most recently epitomised by its being handed 
the largest fine to date under the GDPR.! The limitation of this method is that 
there is no sufficient data as to how these legals are implemented; therefore, it 
cannot be excluded that the actual practices diverge from the stated policies. 

Third, Amazon’s corporate group will be scrutinised. The data on Amazon’s 
conglomerate is not public, but it is partly accessible through the European 
e-Justice Portal.'4 The analysis was carried out in April 2020 with a method 
developed to study Uber,!> where the text analysis of Uber’s legals was coupled 
with the interrogation of national and international databases held by Companies 
House and its counterparts. This time, I focused on the latest available version of 
the business register’s documents and dedicated particular attention to the Annual 
Accounts of 2020.!° Amazon EU S.à rl.’s accounts did not contain a full list of 
subsidiaries; therefore, it was necessary to analyse the documentation of the ulti- 
mate parent, that is, Amazon.com Inc., based in Seattle (Washington). It should 
be noted that information available about US companies varies according to state 
law and detailed disclosure is often optional.'’ The state of Washington discloses 
very limited information (Figure 2.1).'8 

Fortunately, since Amazon’s shares are traded publicly, they also need to reg- 
ister with the Securities and Exchange Commission (SEC), whose data policies 
are more open. Through SEC’s database, it was possible to access Amazon.com 
Inc.’s annual report.!® The information on the supply chain has also been sourced 
by Amazon’s customer advisers, to whom I submitted queries by email and on 
through Amazon’s live chat. 

Finally, the chapter concludes with some autoethnographic remarks. Autoethnog- 
raphy is a ‘research method and methodology which uses the researcher’s personal 
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License Information: 


Entity name: AMAZON.COM, INC 

Business name: AMAZON.COM, INC. 

Entity type: Profit Corporation 

UBI #: 601-720-490 

Business ID: 001 

Location ID: 0002 

Location: Active 

Location address: 410 TERRY AVE N 
SEATTLE WA 98109-5210 

Mailing address: PO BOX 81207 


SEATTLE WA 98108-1207 


Excise tax and reseller permit status: Click here 


Secretary of State status: Click here 


Governing People May include governing people not registered with Secretary of State 


Governing people Title 


DEAL, MICHAEL D 


Figure 2.1 License information regarding Amazon.com Inc., obtained through the Washington 
State Department of Revenue’s database on 4 April 2020. 


experience as data to describe, analyze and understand cultural experience.’”° By 
sharing one’s personal experience, emotions, and interactions — in my case, oscil- 
lating between euphoria and frustration — autoethnography contributes to a richer 
and more meaningful understanding of the relevant phenomenon. 


2.3 Consumer Benefits 


It is beyond contention that the IoT has the potential to greatly benefit consum- 
ers and society at large. Compared to ‘nonsmart’ devices and systems, Things 
provide new functionalities thanks to their sensing, actuating, connectivity, and 
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communication capabilities.?! Services that once were available only offline or 
by accessing a desktop computer are becoming decentralised and accessible from 
every Thing and on the go.” Complex Things such as driverless cars will allow 
human drivers to use their commute time for alternative, more useful activities”? 
and will allow people who cannot or prefer not to drive a vehicle to travel more 
easily.” Saving costs and minimising the impact on the environment are other 
ways in which Things can be advantageous. For example, the new generation of 
thermostats automatically adjust the temperature, thus reducing the pollution and 
the costs associated with excessive heating.*> By leveraging the big data produced 
by Things, traders can tailor their products and services and offer, for example, 
discounted insurance rates to consumers who allow the insurance company to 
remotely monitor car usage.’ This granular information can also be used to 
show us personalised offers and more relevant advertising.” As noted optimis- 
tically in the influential Zero Marginal Cost Society, the IoT is ‘pushing large 
segments of economic life to near zero marginal cost’;?® thus, it would usher into 
a future where Things are ‘nearly free, and abundant, and no longer subject to 
market forces.’?° Finally, the ability of manufacturers to remotely modify Things 
means that upgrades can be delivered over the air throughout the life cycle of 
the Thing, whose performance could endlessly improve.*° Smarter can also mean 
safer. Indeed, Things can alert manufacturers of unsafe conditions or use, and the 
manufacturer could deactivate or ‘brick’ the unsafe Thing,*! alert the consumers, 
and deliver fixes without necessarily recalling the Thing.** Safety issues may also 
be prevented upstream using RFID and other tracking technologies, including the 
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blockchain,*? to identify risks to the supply chains in real time and mitigate them 
promptly.*4 

This is only one side of the coin, however. The other side is a dark tale of spy- 
ing sex toys, killer petrol stations, and manipulative toasters. Indeed, as examined 
in the next sections, consumers encounter risks that go well beyond invasions of 
privacy, due to the core features of IoT technologies, in particular their physical- 
ity, ubiquity, and invisibility. 


2.4 The Main Risks Encountered by Consumers of Things 


The main threats IoT consumers should be aware of are: 


(1) Surveillance capitalism and its challenges to privacy and data protection. 

(ii) The ‘death of ownership’ that transforms consumers into digital tenants 
because IoT traders either retain ownership of the Thing or retain control 
over it via IP rights, contracts, and technological measures. 

(iii) Private ordering ‘by bricking,’ that is, the IoT traders’ ability to remotely 
monitor consumers and automatically downgrade the Thing, discontinue 
the service, remove functionalities, determine the lifespan of the Thing, and 
even deactivate or ‘brick’ it. 

(iv) Defective and vulnerable Things. Current legal regimes struggle to cope 
with new defects (e.g. software updates, inaccurate sensors, etc.) and vulner- 
abilities (e.g. the limitations stemming from software instructions and train- 
ing datasets that affect the capacity to predict human behaviour in real-world 
scenarios). 

(v) IoT commerce and the limited opportunities to inform consumers who make 
transactions while immersed in hyperconnected interface-free environments. 

(vi) The Internet of Personalised Things. Things allow traders to personalise 
products, services, prices, and ‘legals.’ Situational data and granular knowl- 
edge of biases and human vulnerabilities allow these traders to manipulate 
consumers and even discriminate against them, thus hindering their trust. 

(vii) The contractual quagmire, namely, the plethora of ‘legals’ that loT consum- 
ers are forced to accept when using their Things. 


Some of these issues are at the core of ‘traditional’ consumer law in the sense 
of that field of law that expressly regulates the relationship between consumers 
and traders. Within consumer law, some regimes deal with business-to-consumer 
contracts. These include the Consumer Sales Directive,*> recently paired with 
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the Digital Content Directive;** the Consumer Rights Directive;?’ and the Unfair 
Terms Directive.** The next chapter will critically assess whether they can tackle 
issues iii, v, Vil, respectively. Other ‘traditional’ consumer laws protect consumers 
regardless of a contractual relationship, most notably Product Liability Directive” 
and the Unfair Commercial Practices Directive.*° Chapter 4 will explore their 
suitability to deal with issues iv and v respectively. Finally, to successfully tackle 
the consumer issues in the IoT, it is crucial to adopt an integrated approach 
that encompasses also laws that are not normally regarded as consumer laws 
as the existence of a consumer is not a precondition for their application. In par- 
ticular, Chapter 4 will consider whether data protection and intellectual property 
law can protect consumers against IoT traders’ abuses, as epitomised by i and ii, 
respectively. 


2.4.1 Surveillance Capitalism and the Insufficiency of a 
Privacy-Only Approach 


The vast majority of legal studies on the IoT have a privacy focus.*! When every- 
thing that we wear, hold, ingest, or that surrounds us collects granular data about 
us, sends it back to the manufacturer, and shares it with an unknown number of 
third parties, there is no doubt that our privacy is at stake. Indeed, as Shoshana 
Zuboff asserts, we do live in the age of surveillance capitalism.’ It is also true 
that, even though the GDPR may increase the level of the protection of the right 
to privacy in the EU, it has a number of shortcomings, such as its focus on rights 
that individuals do not have the time and resources to invoke and fines that do not 
appear to have a deterrence effect on the main corporate players. At the same 
time, the GDPR penalises smaller businesses by imposing unaffordable compli- 
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ance burdens.** Chapter 5 will investigate this further. Justifiable as it may be, 
the privacy angle has obfuscated other equally important threats to consumers, 
as well as keeping in the shadow other legal regimes that could play a key role in 
empowering consumers and making sure that the IoT remains human-centric.* 

There are three reasons that a privacy-only approach does not help IoT consum- 
ers. They have to do with weakness of consent as a justification for processing, 
the death of ownership, and the contractual quagmire. First, data protection laws 
require a legal basis for personal data processing, and this is usually interpreted 
as an obligation to seek the data subject’s consent, though only a minority of 
companies obtain a consent that would comply with the high standards set by data 
protection laws.*° The other go-to legal basis is legitimate interest, but it is not 
available when data is used in ways individuals reasonably expect and which have 
a minimal privacy impact;*’ therefore, it will not be of much help in many IoT 
scenarios, where it is hard to understand how data is (re)used and where sensor 
data is recombined in privacy-invasive ways.*® 

Consent-based approaches have proved to be useless, especially when data 
controllers hold ‘data power,’*? a multifaceted form of power arising from the 
control over data flows. Thanks to IoT data power, traders can impose unlaw- 
ful, opaque, or otherwise unfair data practices — and the data subjects are forced 
to accept. The take-it-or-leave-it approach has both a contractual and technical 
basis. The former is exemplified by Deroo-Blanquart v Sony Europe,°'! when the 
CJEU considered fair the practice whereby Sony obliged its laptops’ consumers 
to accept the operating system’s EULA. The latter is best expressed in Lessig’s 
words about code as the law of cyberspace, where individuals are deprived of the 
choice of whether to conform to this new ‘law’: 


One obeys these laws as code not because one should; one obeys these laws 
as code because one can do nothing else. There is no choice about whether 
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to yield to the demand for a password; one complies if one wants to enter the 
system.>? 


The other two reasons that privacy-only approaches are insufficient coincide with 
distinct, albeit overlapping, consumer issues in the IoT and will be therefore ana- 
lysed in the following sections. 


2.4.2 The Death of Ownership in the New Rentier Capitalism 


The ‘death of ownership’ phenomenon refers to the fact that we do not own our 
Things — we are digital tenants.°? Even when we formally own ‘our’ Things, IP 
rights, contracts, and technological measures prevent us from having control over 
them.*4 The death of ownership has repercussions on most consumer rights, as 
seen in Joshua Fairfield’s Owned,*> which opens with a story of spying sex toys. 
In 2016, a class action lawsuit was brought against smart erotic massage manu- 
facturer Standard Innovation.°® This Thing had been collecting its users’ most 
intimate data, including date and time of usage and temperature. Standard Inno- 
vation would collect data via the We-Connect app and use it for market research 
purposes. The embedded software would secretly send the users’ data onto the 
manufacturer’s servers. Standard Innovation was able to argue that this practice 
was lawful because users had accepted the EULA, which disclosed the relevant 
processing activities and because the company could use their copyright on the 
embedded software to factually control the Thing in its entirety. The fact that IP 
and contract law have ‘crowded out everyday property ownership’*’ led Fairfield 
to conclude that we must restore such ownership, else we are owned.>® Although 
this solution will be contested in Chapter 6, Owned provides a good analytical 
framework to understand the power dynamics underpinning the IoT. The shift in 
control illuminated by the death of ownership cannot be addressed solely through 
data protection. Despite the GDPR’s emphasis on restoring consumer control over 
data, it does not seem adequately equipped to counter the death of ownership, 
as it provides limited tools to rebalance [P-related and contractual imbalances. 
For example, the GDPR concedes that IP rights may prevail data subject rights, 
although it does not clarify how the conflict should be resolved.°° 
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The erotic Thing case study is also illustrative of a third reason that privacy- 
only approaches are inadequate, as well as a consumer issue in its own right: the 
‘contractual quagmire.’ 


2.4.3 Private Ordering by ‘Bricking’ 


A third issue is private ordering by ‘bricking.’ This is a manifestation of the afore- 
mentioned ‘technical’ private ordering, that is, the phenomenon whereby private 
companies take advantage of legal gaps and of the slowness of the lawmaking 
process to impose their own rules on consumers of new technologies. This can 
be done in subtle ways, for example, by using opaque algorithms to manipulate 
our emotions.©° Some forms of technical private ordering are kept secret. How- 
ever, other forms can be inferred by the legals and by the observation of common 
practices. Private ordering by ‘bricking’ refers to manufacturers and third parties 
having control over the Thing or over some of its components, and thus being able 
to downgrade it, remotely delete contents, discontinue software updates, prevent 
lawful and fair uses by design, and determine the Thing’s lifespan. Bricking here 
means deactivating, as in depriving a Thing of its ‘smartness.’ 

The ability to do so stems from the joint operation of the non-binary nature of 
the IoT — not entirely goods, not entirely services — the death of property, the data 
power held by IoT traders, the remote-monitoring capabilities of the Things, and 
the contracts providing a dubious legal basis for abusive practices. 

The phenomenon has been regarded as a form of ‘private regulation by brick- 
ing’®! by an author who has focused on the deliberate impairment or destruction of 
software (and discontinuation or downgrading of services) with the aim of nega- 
tively affecting product functionality. As she correctly considered, this is a form 
of techno-regulation a la Brownsword, that is, a type of regulation of cyberspace 
that does not limit itself to recognising ‘code as part of the regulatory repertoire; 
it does not simply make use of CCTV, forensic data bases, tracking devices, and 
the like; instead, it relies entirely on design.’®? This book shares the view that IoT 
private power is allowing traders to reshape the governance of Things and gives 
them the ‘unfair capacity to impose their preferred policies unilaterally, automati- 
cally, and remotely.’ 

Bricking can take the form of programmed obsolescence, which is a reminder 
of how the IoT can negatively affect the environment. In an effort to contribute 
to the circular economy, the EU in 2019 adopted ten implementing regulations™ 
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that complement and update the Ecodesign Directive,° which introduced design 
requirements aiming at improving the environmental performance of products, 
with a focus on household appliances’ energy efficiency. The 2019 implementing 
regulations can be regarded as introducing a solution to the issue of programmed 
obsolescence by providing something akin to a ‘right to repair,’ meaning that as 
of March 2021, household appliance manufacturers must make appliances longer- 
lasting and supply spare parts for up to ten years. The solution is only partial due to 
the fact that the ‘right to repair’ is available only to professional repairers and that 
it applies only to lighting, washing machines, dishwashers, and fridges. From 
an IoT perspective, it is particularly worrying that there is no requirement for 
manufacturers to continue updating software throughout the lifetime of a product. 
Hopefully, the current increased sensitivity towards issues of climate change and 
sustainability, alongside the desire for the IoT to unleash its potential, will lead to 
a more ambitious adoption of a universal right to repair in Europe and globally.67 


2.4.4 The Vulnerability of Things 


A crucial consumer concern is ensuring that Things are free of defects and, more 
generally, secure. Having surveyed 1,000 consumers in Australia, Canada, France, 
Japan, UK, and the US, a 2019 study found that 60% of consumers believe that 
IoT traders have an obligation to ensure their Things are secured.® Yet only 22% 
of cybersecurity personnel believe that such security is achievable.” This could 
seriously hinder the IoT uptake, since security concerns are as determinant as 
the price when it comes to the consumer’s decision to purchase a Thing.” To get 
a sense of the dangers associated to IoT vulnerabilities, one need only consider 
the driverless cars’ industry. In 2016, Tesla reported the first death of a driverless 
car’s passenger; the sensors did not distinguish a white tractor-trailer crossing 
the highway against a bright sky. The top of the vehicle was torn off by the force 
of the collision.”! In 2018, a driverless Uber car killed a woman in the first ever 
fatal crash involving a pedestrian. She was walking outside of the crossroads, and 
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the car hit her without even attempting to slow down.” These events suggest that 
the IoT disrupts yet another dichotomy: this time the lines that blur are the ones 
between cybersecurity and security. The two overlap and often coincide.” Virtual 
attacks and software vulnerabilities can have serious consequences in the physi- 
cal world. It would be hard to achieve consensus around whether the remotely 
triggered explosion of a smart petrol station would be a security issue or a cyber- 
security one. Things, especially complex ones, such as cars, can be a threat to the 
life and integrity of consumers for a number of reasons. These include defective 
sensors, the lack of instinctual reactions, and the incapability to predict behaviour 
beyond the training dataset — Uber did not predict that pedestrians can, and often 
do, walk outside of the zebra crossing. 

It should be questioned if these types of failures qualify as a harm for which 
IoT traders can be found liable. To trust that the IoT is not defective and vulner- 
able, consumers can rely on a wide array of legal tools. The relevant, and rather- 
complex, legislative framework revolves around the Product Liability Directive, 
the soon-to-be-replaced Machinery Directive,” the GDPR, and the Network 
Information Security Directive.” Recent calls to strengthen the security of Things 
resulted in the proposal to pass a delegated act to allow the Radio Equipment 
Directive” to apply to software that has been added to the Thing after it has been 
put on the market” and in the discussion on the introduction of horizontal cyber- 
security legislation to be coordinated with the certification framework set forth by 
the Cybersecurity Act.”8 Tools to increase IoT security can also be found in ‘soft’ 
instruments, such as codes of practice, certification schemes, and standards. The 
most notable examples are, respectively, the UK’s Code of Practice for Consumer 
IoT Security,” ENISA’s efforts to draft the first EU cybersecurity certification 
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schemes,* and ETSI’s TS103645,*! the first globally applicable standard for con- 
sumer IoT security. Laudable, albeit nonenforceable, efforts to make our Things 
less vulnerable. 


2.4.5 IoT Commerce: Contracting in Immersive, Hyperconnected, 
Interface-Free Environments 


Moving on to the fifth consumer issue in the IoT, the starting point is that con- 
sumer laws oblige traders to inform consumers about key aspects of the rele- 
vant transactions and products (so-called mandated disclosures or consumer 
notices).*? The IoT is increasingly used to communicate information to us, collect 
our information, and facilitate transactions. Communicating information is prob- 
lematic because the IoT is ubiquitous, invisible, and interface-free.*> The shift 
from e-commerce to loT-commerce means that we live immersed in a world that 
is hyperconnected and supposedly smart; here, the information costs rise verti- 
cally. Indeed, because ‘almost anything can now be designed to run software, 
the amount of resources a person must expend to learn how to appropriately 
use the devices in their possession will increase, whether the objects in fact run 
software or not.’*4 The time, attention, and resources that this absorbs adversely 
affect the time, attention, and resources that are needed to read and understand the 
consumer notices and the legals more generally. Things are increasingly used for 
e-commerce purposes, as exemplified by Amazon Echo and Google Home; this 
means that consumer contracts are concluded not only without any paper informa- 
tion but also without even a digital visual copy of the information. This is because, 
in IoT commerce, traditional interfaces become smaller, mutate, and even disap- 
pear.®> The Consumer Rights Directive®® mandates the communication of certain 
information before the conclusion of a contract. This notice-and-consent approach 
may be regarded as unfit for an interface-free world, where purchases are actioned 
by voice, buttons, and eye blinks, as will be shown in the next chapter, which will 
look at a German decision on Amazon Dash Button. 
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2.4.6 The Internet of Personalised Things and Consumer Manipulation 


A sixth consumer issue in the IoT is the ‘Internet of Personalised Things.’ The 
IoT could be the key disruptor of e-commerce not only because of the ubiquitous 
and ‘always-on’ access to purchasing facilities but also because Things are the 
cookies of tomorrow. Whereas we can delete or block the cookies hoping that 
this will prevent companies from tracking us, what can we do when our smart 
devices themselves are used to identify us, track us, and profile us? Things can 
be used to profile and target consumers with unparalleled precision and efficacy. 
This is confirmed by an empirical study that concluded that the ability to pro- 
file and target IoT consumers is one of the key trends in the future development 
of IoT for businesses.®’ The granular, situational, and often sensitive data col- 
lected by Things and their ability to follow the consumer and target them at the 
best time and in the best context all contribute to the IoT being a very powerful 
weapon of manipulation. IoT-enabled profiling can allow personalised ads, per- 
sonalised products, personalised prices, even personalised terms of service.*® The 
line between personalisation and manipulation is a fine one. Big data analytics 
is increasingly less about predicting consumer behaviour and more about influ- 
encing it. IoT-generated data, Thing analytics, profiling, and targeting can be 
used to actively influence and change consumer behaviour through personalised 
nudges.” More data and more advanced tools to influence the consumers enable 
IoT traders to utilise cognitive biases, vulnerabilities, and proclivities to shape 
consumer perceptions and behaviour.”! 


2.4.7 The Contractual Quagmire 


In the IoT, consumers find themselves in a contractual quagmire in the sense that 
countless legals are attached to every Thing, and these are difficult to find, read, 
and understand. Stuck in the quagmire, the consumer feels that they do not have 
other choice but accepting all the legals, regardless of how unfair, opaque, and 
potentially unenforceable they may be. 

The phrase ‘contractual quagmire’ was coined by Jennifer Belcher” in 2004, 
but it had a radically different meaning. Indeed, Belcher used it to criticise the US 
Supreme Court’s decision in Archer v Warner” that stated that bankruptcy courts 
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should ‘look behind’ privately contracted settlements to determine if the underly- 
ing and completely released original debt was obtained by fraud. The author criti- 
cally concluded that the court had merely ‘created a contractual quagmire for those 
parties seeking settlement of fraud claims.’ Transactions are often accompanied 
by a plethora of contracts, but the IoT exacerbates existing problems.” As Things 
are a mixture of software, hardware, service, data, and due to an elaborate supply 
chain (the ‘relational black box’), consumers of seemingly simple Things like a 
thermostat or a speaker find themselves submerged by dozens of legals. These are 
used by IoT traders to purport to retain full control of the Thing and yet disclaim 
all liability. And they do so with overly long, illegible, and inconsistent documents 
that few read, let alone understand.” Therefore, consumers have little control over 
their Things, are deprived of most of their rights, and are practically left without 
redress — either because, in the quagmire, they cannot identify who the defendant 
would be or because they were forced to accept foreign, inaccessible jurisdiction.” 
To conclude, the IoT may benefit consumers, but only if they are aware of the 
risks and if the law provides effective incentives for loT companies to treat consum- 
ers fairly. The analysis above had, therefore, the aim of raising awareness of some 
consumer threats in the IoT and to reflect on the issues that existing laws need to 
grapple with. To complete the picture, the next sections of this chapter will focus 
on an empirical analysis of Amazon Echo’s ‘legals.’ Its findings will be of help to 
understand what ‘legal’ private ordering is and how, if at all, we can counter it. 


2.5 Fantastic Legals and Where to Find Them: 
Understanding Private Ordering through Amazon 
Echo’s Contractual Quagmire 


In order to assess if and how EU laws can assist IoT consumers, it is important to 
look at the ‘legals.’ This methodological option is based on two considerations. 
First, IoT traders take advantage of the lacunae left by non-IoT-aware laws to 
heavily regulate and restrict the behaviour of consumers, which gives rise to a 
form of contractual private ordering. This makes it important to empirically anal- 
yse the contracts, as they can even take precedence on formal laws when it comes 
to determining the actual rights and obligations of the IoT actors.°” Second, the 
unfairness of a contractual term is assessed ‘by referring . . . to all the other terms 
of the contract or of another contract on which it is dependent.’** Therefore, it is 
imperative to have a clear picture of the overall applicable contractual framework. 
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Many consumer issues stem precisely from the interactions between these net- 
works of contracts.” 


2.5.1 Amazon’s Forest of Terms and Conditions: The ‘Core Legals’ 


A consumer that uses a speaker does not expect to face a legal mountain. How- 
ever, if one wants to have a comprehensive picture of the rights, obligations, and 
responsibilities associated with the use of Amazon Echo, one must read at least 
246 ‘legals.’ These include terms of use, terms of service, terms and conditions, 
conditions of use, conditions of sale, notices, agreements, policies, certifications, 
guidelines, usage rules, warranties, licenses, requirements, lists, codes of con- 
duct, statements, warnings, choices, legal information, addendums, and additional 
terms. They are referred to as legals and not as contracts because in some jurisdic- 
tions their contractual nature is disputed.'!°° I have focused on the UK legals for 
language reasons and because during the data collection, I was mostly based in the 
UK; however, users from other member states face the same amount of legals. US 
consumers have to accept partly different legals both in their content (e.g. to take 
account of the unenforceability of certain clauses under EU consumer law) and 
in their number. For example, in Europe we do not have the Children’s Privacy 
Disclosure,'°' which regards the way Amazon collect information from children 
under the age of 13. The reason for this difference is that in the US, children are 
expressly targeted as customers, whereas Amazon’s European companies rely on 
the fiction, whereby they ‘sell children’s products for purchase by adults.’ 12 

The following 24 legals are ‘core’ in the sense that they are the most likely to 
directly affect rights, risks, and obligations in Echo’s ecosystem. 

The main issues that the aforementioned table shows are as follows. 


(i) The subject matter of each of the document remains usually unclear either 
because a document’s title refers to an aspect of the Thing, but it covers also 
other aspects (e.g., Amazon Device Terms dealing with software) or because 
it provides a definition of ‘services’ and ‘products’ that changes from docu- 
ment to document. 

(ii) The contractual parties are often left wholly or partly unidentified, or they 
are set to change over time without notice. 
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and Gunther Teubner, ‘Editorial zum Schwerpunkt Vertragsnetze: Rechtsprobleme vertraglicher 
Multilateralitat’ (2006) 89 KritV Kritische Vierteljahresschrift für Gesetzgebung und Rechtswis- 
senschaft 103. 

100 Thomas B Norton, ‘The Non-Contractual Nature of Privacy Policies and a New Critique of the 
Notice and Choice Privacy Protection Model’ (2016) 27 Fordham Intellectual Property, Media & 
Entertainment Law Journal 181. 

101 Last updated on 28 August 2019 <www.amazon.com/gp/help/customer/display.html?nodeld= 
202185560>. 

102 Amazon Privacy Notice, last updated on 23 September 2019 <www.amazon.co.uk/gp/help/ 
customer/display.html?nodeld=201909010>. 


Table 2.1 Amazon Echo's Core ‘Legals’ 


Name 


Amazon Device Terms 
of Use!” 


Alexa Terms of Use!“ 


Conditions of Use and 
Sale!” 


Privacy Notice!” 


Parties 


Amazon EU S.à r.l., 
Amazon Media 
S.a r.l. and their 
affiliates 


Amazon Media EU 
S.a rl. and its 
affiliates 


Amazon Europe Core 
S.à r.l., Amazon 
EU S.à r.l., and 
their affiliates 


Amazon Europe Core 
S.à r.l., Amazon 
EU S.à r.l., 
Amazon Services 
Europe S.à r.l., 
Amazon Media 
EU S.à r.l., and 
Amazon Digital 
UK Limited 


Subject Matter 


Kindle e-readers, Fire tablets, Fire 
TV devices, the Echo series, Smart 
Plug, Dash Button, Dash Wand, 
and any Amazon accessories 


Virtual assistant Alexa either in its 
immaterial form or embedded in 
an ‘Alexa-Enabled Product’! 


‘Amazon Services,’ including 
website features and other products 
and services provided on Amazon. 
co.uk, Amazon devices, products, 
or services, Amazon applications 
for mobile, or software provided 
by Amazon 

Processing of personal data through 
Amazon websites, devices, 
products, services, stores, and apps 
that reference the Privacy Notice 


Issues 


Although it purports to regulate the use of the 
device as hardware, it ends up covering also 
digital content (e.g. e-books), services (e.g. 
wireless connectivity), and software (the 
program running in an Echo). 

“Alexa-enabled product’ refers typically 
to Echo but also to mobile apps, thus 
suggesting a new concept of ‘product,’ 
potentially free of its hardware substratum. 

A new concept of service, traditionally distinct 
from devices, products, and software, but 
here included in it. 


It deals with ‘Amazon Services,’ which are not 
defined in the same way as the Conditions 
of Use and Sale, where, by contrast, service 
encompasses software provided by Amazon. 
It is unsure which document governs that 
type of personal data processing. It is also 
unknown if this is the same privacy policy 
that applies to Amazon’s mobile apps, since 
the app’s link to the policy does not work. 108 


103 Last updated on 4 September 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=202002080>. 


104 Last updated on 11 June 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeIld=201809740>. 


105 Preamble to the Alexa Terms of Use. 
106 Last updated on 10 July 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=10406 16>. 
107 Last updated on 23 September 2019 <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeld=201909010>. 
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Table 2.1 (Continued) 


Name Parties Subject Matter Issues 
Cookies!” Unspecified Tracking and profiling The document does not identify the contractual 
party. 
Interest-Based Ads!"° Unspecified Tracking, profiling, and targeted In addition to the issue of nonidentification, 
advertising ‘interest-based advertising’ could be regarded 
as the mere rebranding of ‘targeted advertising.’ 
Privacy Shield Unspecified EU-US data transfers It covers only five of Amazon’s companies; !!? 


Certification!!! 


Amazon Payments 
Europe User 
Agreement — 
Personal Accounts!» 


Amazon Assistant 
Conditions of Use!!® 


Amazon Payments 
Europe s.c.a. 


Wallet services, which enable 
consumers to pay users with 
merchant accounts using internet- 
or mobile-based services and 
applications 

A suite of software applications that 
supplement the online shopping 
experience by comparing products 
from Amazon as one shops on 
retailer websites 


Amazon Europe 
Core S.a.r.l. and its 
affiliates 


it excludes, for example, Twitch.tv and 
IMDb. When the analysis was first 
conducted, the scheme covered seven 
companies. It is unclear if the companies 
who are no longer certified have meanwhile 
ceased to exist, no longer qualify as data 
importers, or lost the certification, which 
may indicate that they do not protect 
personal data in an adequate way. After the 
Schrems II case,''? Amazon no longer relies 
on the Privacy Shield but still refers to this 
certification as they ‘continue to keep to the 
commitments . . . that [they] made when 
[they] certified to the Privacy Shield’!!4 
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Alexa Communication 
Usage Guidelines!!!” 

One-Year Limited 
Warranty for 
Amazon Devices!'® 


Limited Warranty 
for Amazon 
Accessories!!° 


Amazon Fire Game 
Controller 90-Day 
Limited Warranty!” 


108 Accessed from an Android phone on 2 October 2019. 
109 Last updated on 23 May 2018 <www.amazon.co.uk/gp/help/customer/display.html/?nodeld=201890250>. 
110 Last updated on 23 May 2018 <www.amazon.co.uk/gp/help/customer/display.html/?nodeld=201909150>. 


Unspecified 


Amazon EU S.ar.l. 


Amazon EU S.ar.l. 


Amazon EU S.ar.l. 


Communication through Alexa 


Repair, replacement, or refund 
should defects in materials and 
workmanship arise within one year 
from the purchase of most Amazon 
devices 

90-day warranty; applies to some 
Things such as Echo Buttons and 
Echo Wall Clock 


Amazon Fire game controller 


It does not identify the contractual party, and it 
does not define ‘communication.’ 

The warranty applies ‘only to hardware 
components of the Device that are not 
subject to accident’ or other external causes. 


These Things are qualified as ‘accessories’ 
despite the line between them and the rest of 
Amazon’s devices being blurred. 

Hardware-only protection. 

Amazon groups the main legals in a page. 
This document is linked there, but the link 
does not work.!?? It was found by accident 
via a link in the return policies. 


121 


111 Original certification date 16 August 2017 <www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4>. 
112 As of 2 January 2020, Amazon’s traders that are Privacy-Shield-certified are Amazon.com, Inc., Amazon Advertising LLC, Amazon Web Services, Inc., Audible, Inc., and 


Amazon.com Services LLC. 


113 Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems (CJEU, 16 July 2020). Although this case is popularly known 
as Schrems LI, it should be more correctly referred to as Schrems III as the second Schrems case is Case C-498/16 Schrems v Facebook Ireland [2018] 1 WLR 4343. 


114 Privacy notice, clause 12. 


115 Last updated on 6 August 2019 <pay.amazon.co.uk/help/201751590>. 


116 Last updated on 8 October 2015 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=202055080>. 
117 Last updated on 11 June 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=202143060>. 


118 Unknown date <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_ac?ie=UTF8 &nodeld=201311110>. 
119 Unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201606430>. 

120 Unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201484900>. 

121 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201483110>. 

122 The link to the ghost legal is <www.amazon.co.uk/gp/help/customer/display.html?nodeld=00000>. 
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Table 2.1 (Continued) 


Name Parties Subject Matter Issues 

Worry-Free Guarantee Amazon EU S.a rl. Fire HD Kids Edition Tablet, Fire It purports to cover only hardware defects. 
(Two-Year Limited Kids Edition Tablet with Kid-Proof 
Warranty)!” Case, and Kindle Kids Edition 

Alexa Voice Remote Amazon EU S.a rl. Fire’s remote if purchased separately It purports to cover only hardware defects. 
90-Day Limited 
Warranty! 

One-Year Limited Amazon EU S.àr.l. Kindle Oasis and Kindle Paperwhite It purports to cover only hardware defects. 
Warranty 
(Waterproof 
Devices)!” 

Amazon Premium Amazon EU S.a rl. Amazon Premium Headphones It purports to cover only hardware defects. 
Headphones 90-Day It is unclear why there should be 7 distinct 
Limited Warranty!”° warranties. 

Amazon Prime Terms Amazon EU S.ar.l., Prime, the membership program 
and Conditions!’ Amazon Media EU whose main benefits are fast 


Amazon Music Terms 
of Use!?8 


S.à r.l., Amazon 

Video Limited, and 

their affiliates 
Amazon Digital UK 


Ltd. 


shipping and discounted prices 


Services, this time defined as 
unlimited, Prime Music, Amazon 
Music (free with ads), the Store, 
and the Music Library Service 


It provides a long list of Amazon traders 
that may be the consumer’s counterparty 
depending on the location, but regrettably 
it refers to a further page!” for the 
identification of the actual party. 

‘Services’ are given each time a different 
meaning. 
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Amazon Photos Terms Amazon Media EU Both services and software, and 


of Use'*? (previously S.à.r.l. and its in particular storage, retrieval, 
Amazon Drive affiliates management, and access features 
Terms of Use) and functionality for photos, 
videos, and other files 
Amazon Prime Video Amazon Digital Personalised service that offers The party may change over time. ‘Your 
Terms of Use’?! Services LLC, consumers discovery of digital Amazon Prime Video service provider may 
Amazon Digital movies, television shows, and change from time to time, with or without 
UK Limited, and other video content prior notice.’ !32 
their affiliates 
Amazon Prime Video Unspecified The ways to watch (e.g. streaming or The document does not identify the contractual 
Usage Rules!* downloading) and the viewing period parties 
of the video contents depending on This confirms also the aforementioned idea 
whether the video was purchased, of death of ownership and its practical and 
rented, accessed on a subscriptions legal ramifications. 
basis, etc. 
123 Unknown date <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeld=201606410>. 
124 Unknown date <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeld=2014849 10>. 
125 Unknown date <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeld=202197860>. 
126 Unknown date <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeld=201555510>. 
127 Last updated on 25 March 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=200198240>. 
128 Last updated on 1 October 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201380010>. 
129 Amazon Music Service Provider Information and Applicable Terms and Policies, unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=2007389 
50&view-type=content-only>. 
130 Last updated on 4 September 2018 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201376540>. 
131 Last updated on 5 February 2019 <www.primevideo.com/help?nodeld=202095490&view-type=content-only>. 
132 Amazon Prime Video Terms of Use. 
133 Unknown date <www.primevideo.com/help?_encoding=UTF8&nodeld=202095500>. 
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Table 2.1 (Continued) 


Name Parties Subject Matter Issues 
Third Party Unspecified Use, in Amazon’s video services, of Linked to the death of ownership is the idea of 
Software!*4 Microsoft PlayReady™, a copy a private ordering ‘by bricking’ thanks to IP 


Amazon Devices 
Return Policies!*’ 


134 Last updated on 26 July 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201422780>. 


prevention technology embedded 
in software and hardware that 
allows control over the video 
content displayed on Amazon’s 
Things. The document includes 
also the Open Source Notices for 
Amazon Video.!* 

Unspecified How to return Echo and other 
Amazon Things within 30 days. 


rights on different aspects of Thing. 

It includes the threat that the only alternative 
to accepting PlayReady™ is no longer being 
able to access the content. 

The keen consumer may find the Third Party 
Software Licenses in a separate page.!*° 


This ‘legal’ regards also the return of 
nonhardware products, namely, Kindle 
books, as well as services, namely, 

Kindle subscriptions, thus confirming the 
untenability of the attempts to regulate the 
Things’ components as if they were not 
interdependent. 


135 In the US, there is a separate document for these namely Notice Relating to Open Source Software, unknown date <www.amazon.com/gp/BIT/thirdpartylicenses 1/>. 
136 Unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201420340>. 
137 Unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201818950>. 
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(iii) Only some of the legals are grouped in an ad hoc ‘legals section’ on the IoT 
trader’s website. The others are often hidden in other parts of the website or 
hyperlinked in one of the ‘grouped’ legals. 

(iv) Every layer of the Thing is heavily controlled by the IoT trader in a propri- 
etary way; the consumer is accordingly left with little control over the Thing, 
qualifying more as a tenant rather than an owner. 

(v) The prohibitive number of legals that an IoT consumer is expected to find 
and read. 


The number itself of the legals is an issue, because it makes it unlikely for con- 
sumers to find them, let alone read them and understand them. The situation is 
worsened by the high length and low readability of these documents. Echo’s core 
legals amount to 457 pages,'3® 114,292 words (well above the average PhD dis- 
sertation), 733,665 characters. They contain 23,667 complex words!’ and are 
therefore as readable as Machiavelli’s The Prince and as long as Harry Potter and 
the Prisoner of Azkaban (Figure 2.2). This means that, should the consumer find 
all the legals promptly, they would need approximately 20 hours to read them.'*° 
Such breach of the principle of transparency is likely to be contrary to the direc- 


Input Text Your text is as complex as: 


Frankerstein 


Amazon Second Chance 


Pass it on, trade it in, give it a second life 
The Bible 


Alce in Wonderland 


Conditions of Use & Sale Privacy Notice 
Cookies Notice Interest-Based Ads Notice © 
1996-2019, Amazon.com, Inc, or its affiliates Ob! The places you'll go 


Check Readability Green Eggs and Ham 


Readabiltty Statistics Your text is as long as: ~ 


. of Words: 114292 ’: R V 
Num. of Complex Words: 23567 HARRY Great Expectations 


Num. of Sentences: $769 
Num. of Pages (paperback ~ 250npp): 457 k Beowulf 


Smog Value: 19.7 , : 4 
AGdt UReracy Level: This text is suitable only for >, Steepy Hollow 
a graduate-level audience E 


tamb to the Gaughter 
N Dom een Eggs and Har 


Figure 2.2 The Literatin add-on analyses the readability of texts by comparing their 
complexity and length to famous books. 


138 This is considering 250 words per page, as in Stuart Moran, Ewa Luger and Tom Rodden, ‘Lit- 
eratin: Beyond Awareness of Readability in Terms and Conditions’ (ACM 2014). 

139 I used the ‘Literatin * add-on designed by ibid. 

140 This calculation was made on the assumption that one reads 100 words per minute and can read 
uninterrupted. 
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tive on Unfair Terms!*! and Unfair Commercial Practices,'4” the GDPR,!® as well 
as general contract law.'4+ The next chapter will consider the issue of contractual 
transparency as a fairness issue. 


2.5.2 The Mountain Behind the Mountain: The Incontrollable 
Multiplication of the Legals 


In and of themselves, the ‘core’ legals justify the suggestion that IoT users find 
themselves stuck in a contractual quagmire. Should the keen consumer climb this 
legal mountain and find, read, and understand these 24 documents, they will soon 
realise that another mountain is hiding behind them. Countless other legals remain 
to be considered for at least five reasons: 


(i) A multilayered supply chain. This is due to a gargantuan corporate structure 
and to the widespread reliance on ‘affiliates.’ These are left unidentified, 
and Amazon disclaims liability for their activities, despite the fact that they 
provide key portions of Amazon’s offerings. 

(ii) ‘Things-as-a-service’ or hyperservitisation, as in the ubiquitous presence of 
services everywhere and in every Thing, as well as the provision of the Thing 
itself as a mere service. 

(iii) Controlled interoperability. IoT traders use contracts to regulate the interac- 
tions of their Things with umpteen third-party Things, services, and software. 

(iv) The overcoming of the trader-consumer dichotomy through the rise of pro- 
sumers. Consumers’ roles become fluid; they can identify as a trader, albeit 
temporarily. 

(v) The increasing shift from the IoT to the Cloud of Things. 

(vi) The wave of sustainability and corporate social responsibility (CSR) 
measures. 


2.5.2.1 A Journey in Amazons Multilayered Supply Chain 


As the analysis of the core legals shows, Echo’s consumers are in a contrac- 
tual relationship with a number of companies that belong to Amazon’s cor- 
porate structure or are in some way associated to it. It is important to have a 
comprehensive picture of who these companies are for a fourfold reason. First, 
to identify the defendant in a potential action. No breach can be actioned if the 
claimant cannot identify a defendant who has standing. Second, this omission 
may fall foul of duties of precontractual information'*> and may qualify as an 


141 Kasler (n 27). 

142 Case C-388/13 Nemzeti Fogyasztovedelmi Hatosag v UPC Magyarorszag Kft [2015] Bus LR 946. 
143 Art 12. 

144 Spreadex Ltd v Cochrane [2012] EWHC 1290 (Comm). 

145 Consumer Rights Directive, arts 5(1)(b) and 6(1)(b). 
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unfair commercial practice.'*° Third, to resolve questions of applicable law and 
jurisdiction — keeping in mind that, under unfair terms laws, consumers ‘should 
not normally be prevented from starting legal proceedings in their local courts.’!47 
This explains why Echo’s consumers accept the jurisdiction of the courts of the 
district of Luxembourg City only in nonexclusive terms and retain the right to sue 
in the member state where they live.!48 Fourth, ‘Amazon Europe shares custom- 
ers’ information . . . with Amazon.com, Inc. and the subsidiaries that Amazon. 
com, Inc. controls.’'4? Some of them may be subject to Amazon’s publicly avail- 
able Privacy Notice; some others are not. These companies are declared to put 
in place data practices ‘at least as protective as those described in this Privacy 
Notice,’ !5 but due to corporate secrecy, there is no way to make sure that all the 
companies in Amazon’s supply chain stand by this commitment. At the time of 
writing, international data transfers could be justified if covered by an adequacy 
decision, such as the EU-US Privacy Shield.!5! Most of Amazon’s subsidiaries 
were established in the US, but only five of them were Privacy Shield—certified, 
which meant that it was unclear whether the transfers of EU residents’ personal 
data to the US had a legal basis. This is all the more true after the recent Sch- 
rems I/'>? ruling that invalidated the Privacy Shield, leaving companies with no 
clear legal basis for international data transfers. Adequacy decisions are not the 
only method to justify international transfers. The main alternatives are agree- 
ments between public entities, binding corporate rules, standard contractual 
clauses, and approved codes of conduct. Amazon relies on ‘adequacy decisions or 
use contracts with standard safeguards published by the European Commission.’ 153 
However, this is not satisfactory. Indeed, although the CJEU in theory upheld the 
validity of standard contractual clauses, it has shifted the emphasis on the supple- 
mentary technical, contractual, and organisational measures that controllers must 
put in place when ‘the law or practice of the third country . . . may impinge 
on the effectiveness of the appropriate safeguards,’!>4 as is arguably the case 
with US law, where redress against state surveillance is not always available.'*> 


146 Unfair Commercial Practices Directive, art 7(4)(b). 

147 Competition & Markets Authority, Unfair Contract Terms Guidance. Guidance on the Unfair 
Terms Provisions in the Consumer Rights Act 2015 (CMA 2015) [5.29.7]. 

148 Conditions of Use & Sale, clause 14. 

149 Amazon UK Privacy Notice, last updated 23 September 2019. 

150 ibid. 

151 An adequacy decision is a decision whereby the European Commission finds that the third coun- 
try’s level of data protection is adequate. The Privacy Shield instantiated this with regard to 
EU-US transfers. 

152 (n 113). 

153 Privacy Notice, clause 5. 

154 EDPB, ‘Recommendations 01/2020 on Measures That Supplement Transfer Tools to Ensure 
Compliance with the EU Level of Protection of Personal Data’ (2020) [30]. 

155 Schrems I (n 113) [115]. To assist data exporters and importers in assessing when the surveil- 
lance laws of a third country interfere with privacy rights and potentially invalidate the transfer, 
the European Data Protection Board has also adopted EDPB, ‘Recommendations 02/2020 on the 
European Essential Guarantees for Surveillance Measures’ (2020). 
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Controllers must identify these supplementary measures on a case-by-case basis!°° — 
which Amazon fails to do. 

In light of the importance of identifying the parties involved in this network of 
contracts, the analysis below will, first, attempt to present a picture of Amazon’s 
gargantuan corporate conglomerate and then explore the concept of ‘affiliate.’ 

Starting the journey in Luxembourg, where Amazon has its main European 
headquarters, we find nine companies, namely Amazon EU S.à r.l., Amazon Eur- 
asia Holdings S.à r.l., Amazon Business EU S.à r.l., Amazon Payments Europe 
SCA, Amazon International Services S.à r.l., Amazon Services Europe S.à r.l., 
Amazon Media EU S.à r.l., Amazon Europe Core S.à r.l., and Amazon Web Ser- 
vices EMEA S.à r.l. 

Amazon EU S.a rl. is the main European company, and it has registered 
branches in the UK, Italy, Germany, France, Spain, and the Netherlands. It also 
holds interests in other companies. There is no publicly available list of all the 
subsidiaries, but the main!>’ affiliated undertakings, whose share capital is held 
in its entirety by Amazon EU S.à r.l., are Amazon UK Services Limited, Amazon 
Data Services Ireland Limited, Amazon Fulfillment Poland sp. z 0.0., and Ama- 
zon Italia Logistica s.r.l. 

Finally, the US parent company Amazon.com Inc., the ultimate parent company, 
has dozens of partly unidentified subsidiaries. The most significant ones are Ama- 
zon Services LLC, Amazon Digital Services LLC, Amazon.com Services Inc., 
and Amazon Technologies Inc.!58 It is impossible to know exactly which compa- 
nies are part of Amazon.com Inc.’s corporate family. By mere accident, while I 
was browsing the section of Amazon’s website dedicate to prospective employ- 
ees, I stumbled upon a page referring to 17 ‘companies you might not realise 
are part of Amazon’s family,’!°° including AbeBooks.com, Audible, Goodreads, 
IMDb, Twitch, and Whole Foods. I thought I could get a more complete picture 
of Amazon’s corporate structure if I could read the group’s consolidated financial 
statements. However, they ‘are available at 410 Terry Avenue North, Seattle’; this 
makes it rather impractical for the average consumer — or the average academic, 
for that matter — to retrieve the relevant information. 

In order to better understand with whom a consumer has a contractual rela- 
tionship, it is also important to understand the repeated reference, found in many 
of Echo’s legals, to unidentified ‘affiliates.’ For example, under the Conditions 
of Use and Sale, ‘Amazon Europe Core S.à r.l., Amazon EU S.à r.l. and/or their 
affiliates (“Amazon”) provide website features and other products and services to 
you.’!° Even after reading the legals, browsing Amazon’s website, and inquiring 


156 EDPB (n 154) [46]. 

157 These are the main European subsidiaries in terms of carrying account, as reported in Amazon 
EU S.à r.l., ‘Registre de Commerce et Des Sociétés No RCS B101818; Référence de Dépôt 
L200046766; Déposé et Enregistré on 13 March 2020.’ 

158 Amazon.com, Inc. (n 19). 

159 ‘Subsidiaries’ (amazon.jobs) <www.amazon.jobs/en-gb/business_categories/subsidiaries>. 

160 Conditions of Use & Sale, preamble. 
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the customer support centre, I am not sure who these affiliates are and which func- 
tionalities, products, and services they provide. It would be important to answer 
these questions mainly for two reasons. First, Amazon disclaims all liability for 
the affiliates’ actions, products, and contents.'*! Second, the affiliates’ legals will 
apply too, and Amazon expects you to ‘carefully review their privacy statements 
and other conditions of use.’!® After some digging, I came to the conclusion that 
‘affiliate’ may mean one of two things. It may refer to all those traders that become 
an ‘associate’ of Amazon for advertising purposes, e.g. by inserting Amazon ban- 
ners on their website or linking to part of Amazon’s catalogue. The Amazon Affili- 
ate Resource Centre'® provides the relevant information; the Associates Program 
Operating Agreement!“ and the Associates Program Policies!® refer to affiliates 
and associates indistinctly. One of Amazon’s customer service advisers (Adviser 
X),!°° consulted via live chat, confirmed that these are the affiliates referred to in 
the ‘legals,’ although they did not have a list of who precisely the affiliates were 
and which services, products, and functionalities they were responsible for. If this 
were the case, there may be potentially thousands of affiliates that play an impor- 
tant role in the consumers’ experience, access their data, and come with thousands 
of legals of their own. The second possible concept of ‘affiliate’ would refer to 
Amazon’s subsidiaries and those companies that provide some of Amazon’s prod- 
ucts, services, and functionalities on the basis of stable arrangements. This inter- 
pretation is supported by four arguments. First, whereas the UK legals do not name 
any company that counts as an affiliate, the US legals do. In particular, under the 
US version of the Alexa Terms of Use,! AMCS LLC is the affiliate that ‘may 
offer you certain Alexa-related communication, services, such as the ability to 
send and receive messages and calls and connect with other Alexa users.’!°* These 
are core functionalities of Amazon Echo (and of all the Alexa-enabled apps and 
Things) and are provided by a company that does not exist on any openly acces- 
sible traders directory, whose terms we are expected to nonetheless read and agree 
to, and for whose activities Amazon disclaims liability. Second, at the bottom of 
IMDb Conditions of Use, one can find a list of ‘Amazon Affiliates,’ namely, Prime 


161 ‘Amazon does not assume any responsibility or liability for the actions, product, and content’ of 
third parties, including the affiliated traders. Conditions of Use & Sale, point 11. 

162 ibid. 

163 <amazon-affiliate.eu/en/?pk_campaign=ukacbottomfotter>. 

164 Associates Program Operating Agreement, last updated on 6 September 2019 <affiliate-program. 
amazon.co.uk/help/operating/agreement>. 

165 Theseare eight documents: Associates Program—Fee Statement; Associates Program-—Participation 
Requirements; Associates Program — Products Statement; Associates Program — Mobile Appli- 
cation Policy; Associates Program — Trademark Guidelines; Associates Program — IP License; 
Associates Program — Amazon Influencer Program Policy; DE Associate Program Comparison 
Shopping Engine Requirements. These policies are undated and with unspecified parties but, 
positively, can be found all at <affiliate-program.amazon.co.uk/help/operating/policies >. 

166 Ihave contacted Adviser X on 1 October 2019 using Amazon’s live chat. 

167 Last updated on 14 June 2019 <www.amazon.com/gp/help/customer/display.htm]?nodeld= 
201809740>. 

168 ibid, point 3.8. 
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Video to stream movies and TV; Amazon UK, Amazon Germany, Amazon Italy, 
Amazon France, and Amazon India to buy DVDs; DPReview for digital photogra- 
phy; and Audible for audio books. All these traders are part of Amazon’s corporate 
group. Third, another clue comes from the comparison between the sections ‘Make 
Money with Us’ in the UK and in the US (Figure 2.3). 

The UK’s Associates Programme corresponds to ‘Become an Affiliate’ in the 
US. This would suggest that the references to ‘affiliates’ in the UK legals may be 
a legacy problem. Indeed, it is common practice for US companies who operate 
in Europe to regulate the relationship with European consumers with legals that 
are nearly identical to the US version, with minor changes to the limited extent 
imposed by the law and by spelling conventions.'!® The last argument in favour 
of ‘affiliates’ as subsidiaries and traders with stable arrangements with Amazon is 
based on a second interaction with Amazon customer support, this time with the 
‘Associate Team’ (affiliati in Italian)'”° and by email. Adviser Y from this team 
did not answer my questions on who the affiliates are and which services, prod- 
ucts, and functionalities they provide. After I asked that the matter be escalated, 
Adviser Z'7! replied that Amazon Europe Core S.à.r.l., Amazon EU S.à.r.l. Italia, 


Make Money with Us Make Money with Us 


Sell on Amazon Sell on Amazon 


Sell Under Private Brands Sell Your Services on 


Sell on Amazon Business Amazon 


Sell on Amazon Sell on Amazon Business 


Handmade Sell Your Apps on Amazon 


Sell Your Services on Become an Affiliate 


Amazon 


- Advertise Your Products 


-Publi i 
Fulfilment by Amazon Sah IN li 


>» See More 


Seller Fulfilled Prime 


Figure 2.3 The ‘Make Money with Us’ section at the bottom of Amazon.co.uk (left) and 
Amazon.com (right).!7 


169 Noto La Diega and Walden (n 8). 

170 The exchange took place on 1 October 2019 with I., an advisor from the Programma Affiliazione 
(the Italian equivalent of the Associate Programme). 

171 Email exchange of 1 October 2019 with Amazon’s advisor Z. 

172 The screenshot on the left was captured on 1 October 2019 at www.amazon.co.uk/gp/help/cus- 
tomer/display.html?nodeld=201809740; the screenshot on the right at <www.amazon.com/gp/ 
help/customer/display.html?nodeld=201809740>. 
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Amazon Services Europe S.à.r.l., and Amazon Media EU S.à.r.l. ‘are responsible 
for providing functionalities, products, and services,’ but neither did they clarify 
if this list is exhaustive nor shed light on which services, products, and function- 
alities those traders are responsible. Adviser Z only clarified that Amazon Europe 
Core S.à.r.l is responsible for the main website, but other services are provided 
by other affiliates, ‘for example Amazon’s MP3 Service is provided by Amazon 
Media EU S.à rl.’ Although this only partly answered my question, it did have an 
unintended positive consequence. Indeed, I had not previously found the condi- 
tions of use of AutoRip,'!” Amazon’s service to convert purchased CDs into MP3s. 

Based on these four arguments, though no conclusive answer has been found, 
it is fair to assume that the unidentified affiliates that are party to most legals 
Amazon Echo consumers accept and for which Amazon disclaims liability are 
its subsidiaries or other companies with which it has stable arrangements to pro- 
vide certain services, products, or functionalities. In theory, consumers would be 
expected to find and read also the affiliates’ ‘legals,’ but since even identifying 
them is virtually impossible, it is safe to say that consumers cannot be assumed 
to be bound by any obligations under them and Amazon’s liability disclaimers 
should be deemed to be unenforceable. This may depend on the rules on unfair- 
ness in consumer contracts, as elaborated in the next chapter, or on the rules on 
vagueness in general contract law. Vague clauses ‘are not in general enforced in 
English law’! and in all those jurisdictions where courts tend to refrain from 
rewriting contracts on behalf of the parties.'!7> Under Scammell v Ouston,'”° lead- 
ing authority in the field, when a phrase is “so vaguely expressed that it cannot, 
standing by itself, be given a definite meaning,’!”’ the relevant clause must be 
regarded as too uncertain to be enforceable. There are two scenarios in which 
courts may decide to give enforceable content to vague clauses. First, when case- 
specific contextual factors apply. For example, in Shamrock v Storey," a contract 
referred to unspecified ‘terms of usual colliery guarantee,’ and there were three 
forms of colliery guarantee; however, since all of them contained the same provi- 
sion on the relevant point (the loading time in a contract for the sale of coal), duties 
and rights were in fact clear. In our scenario, despite my efforts, it was impossible 
to identify the ‘affiliates,’ and therefore, the relevant duties remaining unclear, 
the clause should be deemed unenforceable. The same applies to the second set 
of contextual factors that courts may consider to enforce vague clauses, namely, 
commercial usage. Expressions such as ‘reasonable’ and ‘best endeavours’ are 
vague and yet customary in commerce. They make for flexible and enforceable 


173 AutoRip Terms & Conditions, last updated on 1 October 2019. 

174 TT Arvind, Contract Law (OUP 2017) 249. 

175 See e.g. Alessandro D’Adda, ‘La Correzione Del “Contratto Abusivo”: Regole Dispositive in 
Funzione “Conformativa” Ovvero Una Nuova Stagione per l’equita Giudiziale?’ in Alessandro 
Bellavista and Armando Plaia (eds), Le invalidità nel diritto privato (Giuffrè 2011) 394. 

176 [1941] AC 251. 

177 Ibid [254] per Viscount Simon. 

178 (1899) 81 LT 413. 
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contracts; however, ‘straying beyond these established types of clauses can lead to 
the contractual provisions . . . becoming unenforceable,’!”? which is the case with 
Amazon’s contractual quagmire. 

The AudioRip example leads us nicely to the second reason that the number 
of Echo’s legals is considerably higher than the 24 core legals: the growth of 
‘Things-as-a-service’ or hyperservitisation.!*° 


2.5.2.2 Things-as-a-Service 


Whilst traditional markets were focused on the sale of goods, with the demate- 
rialisation that followed the digital revolution, the key has become the provision 
of services. Servitisation refers to ‘manufacturing firms developing the capabili- 
ties they need to provide services and solutions that supplement their traditional 
product offerings’!8! and has been a trend for many years now. Forty-eight per- 
cent of traders profiting from servitisation leverage data from the IoT.'*? By call- 
ing into question the very ideas of ‘goods’ and ‘ownership,’ the IoT ushers in 
the ‘Thing-as-a-service’ era.!8 With the advent of cloud computing, companies 
no longer need to have certain resources in-house; resources are virtualised and 
are accessed remotely on-demand.'** Services are structured according to their 
level of abstraction, typically resulting in the three layers, namely, software-as- 
a-service, platform-as-a-service, and infrastructure-as-a-service.!*> With the IoT, 
services become so pervasive that a forth layer should be considered, namely, 
the ‘Thing-as-a-service.’!8° Thing-as-a-service means both that (i) the Thing is 
provided as if it were a service, namely, under a subscription contract, rather than 
a sale, and that (ii) the service component of the Thing instantiates the core of the 


179 Arvind (n 174) 249. 

180 Guido Noto La Diega, ‘Can Artificial Intelligence and the Internet of Things Be Governed to 
Achieve the UN Sustainable Development Goals? An Intellectual Property Law Perspective’ WTO 
Public Forum, AIPPIs Working Session “New Digital Technologies: the Protagonists of a Change 
in Perspective in the Global Supply Chain (2019) <https://papers.ssrn.com/abstract=3505247>. 

181 Charles Rathmann, ‘Industrial Servitization and Field Service Technology’ (2018) IFS White 
Paper. 

182 ibid. 

183 Christiane Wendehorst, ‘Consumer Contracts and the Internet of Things’ in Reiner Schulze and 
Dirk Staudenmayer (eds), Digital Revolution — Challenges for Contract Law in Practice (Nomos 
2016) 189. 

184 ME Khalil, K Ghani and W Khalil, ‘Onion Architecture: A New Approach for XaaS (Every-Thing- 
as-a Service) Based Virtual Collaborations’ 2016 13th Learning and Technology Conference 
(L&T) (2016); Guido Noto La Diega, ‘Il Cloud Computing. Alla Ricerca Del Diritto Perduto Nel 
Web 3.0’ (2014) 2 Europa e diritto privato 577. 

185 D Androcec and N Vrcek, ‘Thing as a Service Interoperability: Review and Framework Pro- 
posal’ 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud) 
(IEEE 2016). 

186 This is akin to the idea of Everything as a Service (XaaS), but with an IoT focus. Y Duan, Y Cao 
and X Sun, ‘Various “AaS” of Everything as a Service’ 20/5 IEEE/ACIS 16th International Con- 
ference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed 
Computing (SNPD) (IEEE 2015). 
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Thing, the essential functionality that the consumer expects. The IoT enables new 
and ubiquitous services that can be accessed by an increasing number of Things 
in close proximity to the end user.!8? Whilst this hyperservitisation can benefit 
consumers, the more the services — and the more they are distributed and hidden 
in countless Things — the higher the complexity to untangle, and the more the 
legals to find, read, and make sense of. To map Echo’s legals, one would need to 
have a clear idea of all the services that the speaker’s consumers can access. This 
is impossible, however. 

As provided with baffling vagueness in the Conditions of Use and Sale, Ama- 
zon offers ‘a wide range of Amazon Services, and sometimes additional terms 
may apply.’!8§ Amazon does not clarify when additional terms indeed apply, nor 
do they provide a full list of such services; they only make the ‘example [of] Your 
Profile, Gift Cards or Amazon applications for mobile.’ It would be important to 
find these additional terms because ‘[i]f these Conditions of Use are inconsis- 
tent with the Service Terms, those Service Terms will control.’!8? Alarmed by this 
clause, I ventured to search for additional terms. Whilst I could not find the terms 
applicable to Your Profile, after some digging I managed to find the following 55 
Thing-as-a-service-related legals. 

The Thing-as-a-service-related legals confirm issues of: 


(i) Incontrollable multiplication of legals; 
(ii) Difficulty to find the legals; 
(iii) Unclear contractual parties, partly due to the gargantuan corporate structure 
and the reliance on affiliates; 
(iv) Unclear subject matter; 
(v) Control of every layer through IP rights and corresponding death of ownership; 
(vi) Difficulty to distinguish between hardware, software, service, and data; 
(vii) Untenable resting on the dichotomy between personal data and nonpersonal 
ones. 


It should be noted that it is unclear why all these services need ad hoc separate legals 
and why they are not listed by Amazon in its ‘Legal Policies’ section of the website, 
which currently shows only seven legals.'®° To give a sense of how difficult it is to 
find all the relevant legals, see Figure 2.4, which follows, about Amazon Now’s terms. 
The consumer will have to open the app, click on the ‘hamburger button,’ then click 
‘Help & About,’ followed by ‘About,’ ‘Legal information,’ and ‘Additional terms.’ 
All this happens in-app. Finally, one has to open a browser and search for HERE 


187 Anna Rymaszewska, Petri Helo and Angappa Gunasekaran, ‘IoT Powered Servitization of 
Manufacturing — an Exploratory Case Study’ (2017) 192 International Journal of Production 
Economics 92. 

188 Conditions of Use, preamble. 

189 Conditions of Use & Sale, preamble to the conditions of use. 

190 www.amazon.co.uk/gp/help/customer/display.html/ref=hp_be_nav?ie=UTF8&nodeld=GWFZQ 
8U37JV9AUTS>. 


Table 2.2 Amazon Echo's Legals Related to Thing-as-a-Service 


Name 


Parties 


Subject Matter 


Issues 


Amazon.co.uk Gift 
Card Content 
Submission Terms 
and Conditions!*! 

Amazon.co.uk 
Promotional Code 
and Promotional 
Credit Terms and 
Conditions!*” 


Qualified Promotions 
Terms and 


Conditions!* 


Amazon Dash 
Replenishment 
Terms of Use!” 


Amazon Discount 
Voucher Terms and 
Conditions!” 


Unspecified 


Unspecified 


Unspecified 


Amazon EU S.ar.l. 


and its affiliates 


Unspecified 


Submission of digital images for 
display on a gift voucher 


Certain promotional offers, as 
defined on the landing page of the 
relevant promotion 


Promotions available to consumers 
who take qualifying actions, such 
as spending a minimum amount 
or buying one product to receive 
another product for free 

Service of reordering supplies 
of consumer goods through a 
physical or virtual button or auto- 
detection capabilities 

Discount vouchers 


I did not find this document initially, but I 
was intrigued by Amazon Prime Terms and 
Conditions’ passage whereby ‘Prime Terms 
trial or other promotional memberships . . . 


are subject to these Terms except as otherwise 


stated in the promotional membership terms. 


It covers both the software and the hardware 


2193 


components of the button. However, the latter 


is mainly governed by the aforementioned 


Amazon Device Terms of Use. 


196 
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Twitch Terms of 
Service!*® 


Gaming and interactive 
entertainment 


Twitch Interactive Inc. 
(bought by Amazon. 
com in 2014) and its 
affiliates 


These are complemented by 16 separate 


documents carrying the Privacy Notice!” and 
Choices,” the Community Guidelines,””! 
DMCA Guidelines,” Trademark Policy,” 
Trademark Guidelines,” Terms of Sale,?°5 
Developer Agreement,”” Affiliate Program 
Agreement,”°” Supplemental Fees Statement,” 
Ad Choices,?” Channel Points Acceptable Use 
Policy,?'° Bits Acceptable Use Policy,?!! Cookie 
Policy,”!? Photosensitive Seizure Warning,” 
and Events Code of Conduct?! 


191 
192 
193 
194 
195 
196 
197 
198 
199 
200 
201 
202 
203 
204 
205 
206 
207 
208 
209 
210 
211 
212 
213 
214 


Unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201971000>. 
Unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201895970>. 
Amazon Prime Terms and Conditions, point 3.5. 

Unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201622460>. 


Last updated on 24 May 2018 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201730770>. 


Last updated on 4 September 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=202002080>. 


Unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201896080>. 
Last updated on 16 April 2019 <www.twitch.tv/p/legal/terms-of-service/>. 

Last updated on 10 August 2018 <www.twitch.tv/p/legal/privacy-policy/>. 

Last updated on 9 September 2019 <www.twitch.tv/p/legal/privacy-choices/>. 

Last updated on 12 September 2019 <www.twitch.tv/p/legal/community-guidelines/>. 
Last updated on 27 March 2019 <www.twitch.tv/p/legal/dmca-guidelines/>. 

Last updated on 9 February 2017 <www.twitch.tv/p/legal/trademark-policy/>. 

Last updated on 11 July 2018 <www.twitch.tv/p/legal/trademark/>. 

Last updated on 10 September 2019 <www.twitch.tv/p/legal/terms-of-sale/>. 

Last updated on 19 July 2019 <www.twitch.tv/p/legal/developer-agreement/>. 

Last updated on 8 June 2018 <www.twitch.tv/p/legal/affiliate-agreement/>. 

Last updated on 18 December 2018 <www.twitch.tv/p/legal/supplemental-fees-statement/>. 
Last updated on 30 May 2013 <www.twitch.tv/p/legal/ad-choices/>. 


Last updated on 3 September 2019 <www.twitch.tv/p/legal/channel-points-acceptable-use-policy/>. 


Last updated on 23 April 2018 <www.twitch.tv/p/legal/bits-acceptable-use/>. 
Last updated on 22 February 2019 <www.twitch.tv/p/legal/cookie-policy/>. 

Last updated on 5 July 2014 <www.twitch.tv/p/legal/seizure-warning/>. 

Last updated on 20 June 2019 <www.twitch.tv/p/legal/events-code-of-conduct/>. 
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Table 2.2 (Continued) 


Name Parties Subject Matter Issues 
Kindle Store Terms of Amazon Media EU Kindle content and software, Kindle It includes matters that would traditionally 
Use?! S.à r.l. and its store and support qualify as services, as well as software and 
affiliates data. 
Audible Service Audible Limited, Spoken-word audio entertainment This document includes the Audible Purchase 


Conditions of Use?!* 


IMDb Conditions of 
Use??? 


Amazon Appstore for 
Android Terms of 
Us e225 

Additional Terms 
Relating to Amazon 
Apps Software” 


whose immediate 
parent company 
is Audible Inc.; 


Amazon.com Inc. 


is their holding 
company?!” 

IMDb.com Inc. 
and its affiliates. 
The company 
was acquired by 
Amazon.com in 
1998. 


Amazon Media EU 
S.à.r.l. and its 
affiliates 

Unspecified 


services through Audible’s 
websites and apps 


IMDb services that include 
products, software, and apps 
provided by the online movie 
database 


Amazon Appstore for Android and 
associated software, services, and 
purchases 

Licensed use of third-party software 
in Amazon’s apps 


Terms and Conditions, Audible Terms and 
Conditions for Gift and Promotional Codes 
and Vouchers, Audible Plan Terms, Additional 
Software Terms, and Great Listen Guarantee 
Terms and Conditions. Separate policies 
regard privacy?! and cookies.”! 

In separate pages, the eager consumer may 
find the IMDb Privacy Notice,”! the Third 
Party Licensing Notices for iOS? and 
Android,” and the policy on Interest-Based 
Ads.” The latter, albeit hosted on Amazon’s 
main website and seemingly referring to 
all of Amazon’s services and products, is 
different from the Interest-Based Ads policy 
mentioned above, which raises the issue of 
how to reconcile the inconsistencies. For 
example, IMDb’s policy does not contain 
a commitment not to associate consumer 
‘interactions on unaffiliated sites with 
personally identifiable information.’ 
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Amazon Coins Amazon Media EU Amazon Coins, a cryptocurrency 
Terms?” S.à r.l. and its that allows consumers to 


affiliates purchase digital products (apps, 
games, and in-game items) on 
Amazon Appstore 


Amazon App Suite Unspecified Virtually any aspect of Amazon’s It evidences the phenomena of death of 


Legal Notices 


215 
216 
217 


218 
219 


220 


22 


= 


222 


223 


224 
225 


226 


227 
228 


728 apps is covered by patents, ownership and digital dispossession. 


trademarks, copyright, or other 
forms of IP 


Last updated on 23 May 2018 <www.amazon.co.uk/gp/help/customer/display.html?nodeId=201014950>. 

Last updated on 4 December 2018 <www.audible.co.uk/legal/conditions-of-use?modulelId=201654400&ie=UTF8#p7>. 

Audible Limited Report and Financial Statements, Year ended 31 December 2018, retrieved from the Traders House directory, whose servere are interestingly hosted 
by Amazon itself. 

Audible Privacy Help Page, unknown date <www.audible.co.uk/ep/privacyfaq>. 

Cookies Notice, last updated on 23 May 2018 <www.audible.co.uk/legal/cookies-and-advertising?moduleld=201654420&pf_rd_p=8b988335-dfd9-4b60-bde4- 
28fd204e4999&pf rd_r=Y7NE7V4D1MB9PMPHBS6C&ref=mn_anon-h_ f6 ca>. 

Unknown date <www.imdb.com/iphone_app/conditions/?pf_rd_m=A2FGELUUNOQJNL&pf_ rd_p=89741122-4d15-4fc0-b4b2-7bc3d5403f19&pf_rd_r=NT58F 
7QFWDBSQGH3SEG3&pf _rd_s=center-l&pf_rd_t=60601&pf_rd_i=iphone_app.terms&ref_=fea_lw_1>. 

Lastupdated on 8 February 2018<www.imdb.com/iphone_app/privacy/?pf_rd_m=A2FGELUUNOQJNL&pf_rd_p=89741122-4d15-4fc0-b4b2-7bce3d5403f19&pf_ 
rd_r=NT58F7QFWDBSQGH3SEG3&pf_rd_s=center-1 &pf_rd_t=60601&pf_rd_i=iphone_app.terms&ref_=fea_lw_2>. 

Unknown date <www.imdb.com/iphone_app/terms_thirdparty_ios/?pf_rd_ m=A2FGELUUNOQJNL&pf_rd_p=89741122-4d15-4fc0-b4b2-7bc3d5403f19&pf rd_ 
t=NTS58F7QFWDBSQGH3SEG3&pf _rd_s=center-l&pf_rd_t=60601 &pf_rd_i=iphone_app.terms&ref_=fea_lw_3>. 

Unknown date <www.imdb.com/iphone_app/terms_thirdparty_android/?pf_rd_ m=A2FGELUUNOQJNL&pf rd_p=89741122-4d15-4fc0-b4b2-7bce3d5403f19& 
pf_rd_r=NTS58F7QFWDBSQGH3SEG3&pf _rd_s=center-1&pf_rd_t=60601&pf_rd_i=iphone_app.terms&ref_=fea_lw_4>. 

Unknown date <www.amazon.com/b/?node=5 160028011 &ref_=fea_lw_5>. 

Last updated on 23 May 2018 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201485660&_encoding=UTF8&ref_=mas_ help legacy legal doc 
page>. 

Last updated on 30 August 2012 <www.amazon.co.uk/gp/feature.html/ref=amb_link_170954367_4?ie=UTF8&docld=1000662743&pf_ rd_m=A3P5SROKLSA 
1OLE&pf_rd_s=center-2&pf_rd_r=-03 AVGHSRAOMNZ21CFKPS&pf_rd_t=1401&pf rd_p=500480187&pf_rd_i=1000655093>. 

Last updated on 23 May 2018 <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeld=20143452>. 

Unknown date <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeld=201357690>. 
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Table 2.2 (Continued) 


Name Parties Subject Matter Issues 
Amazon GameCircle Amazon Media EU Amazon GameCircle (game-related Echo can be used to control Fire TV, and the 
Terms of Use?” S.à.r.l. and its features, e.g. storage of game latter’s app is available on Echo Show. 
affiliates data on the cloud) and associated Therefore, Fire TV’s legals will apply. 
software and service 
Amazon Fire TV App Amazon Media EU Mobile app and software associated 
Terms of Use S.à.r.l. and its to Amazon Fire TV app, through 
affiliates which Things can be used to 


Amazon Silk Terms 
and Conditions’ 


Fire for Kids Unlimited 


and Kindle for 
Kids Terms and 
Conditions”*! 
Amazon App Legal 
Notice??? 


Legal Here Service 
Terms”? 


Amazon EU S.à r.l. 


Amazon Media EU 
S.à.r.l., Amazon 
Video Limited, and 
their affiliates 

Unspecified 


HERE Global B.V. 


control Amazon Fire TV devices 
Amazon Silk browser software and 
related services 


Digital content (e-books, movies, 
games, etc.) for children aged 3 to 
12 years old 


It contains a patent notice, a notice 
and take-down procedure for 
copyright infringement, an open- 
source software notice, and third 
parties copyright licenses 

Unclear. HERE is Amazon’s 
licensor that provides unspecified 
‘portions of the Amazon 
Service,’?*4 in particular Prime 
Now, which offers household 
items and essentials with 2-hour 
delivery. 


The link to these terms is broken, and one needs 
to resort to external search engines to find 
them. 


It is available only on the Fire TV mobile app 
and cannot be found anywhere else. 


Subject matter’s lack of definition. 
Additionally, it is unclear — although I would be 
inclined to answer in the positive — whether 

also the other HERE legals would apply, 
namely, End User License Agreement,”*> 
Terms for HERE Products and Services,7°° 
HERE Mobility Terms,”” Open Location 
Platform Terms,7** Other legal information 
and notices,’ HERE XYZ Pro Beta Terms 
and Conditions.”*° 
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Amazon Maps Terms 
of Use”! 


Amazon Media EU Maps service, data, and associated Unlike the other legals, these terms do not refer 
S.à.r.l. and its software to the main privacy policy. The reason may 
affiliates be the erroneous conviction that location data 

is not personal data and the resting on the 
outdated dichotomy between personal and 
nonpersonal data. Inasmuch as the service 
involves personal data processing, Amazon’s 
Privacy Notice should apply. For example, 
since ‘map data’ are defined as including 
‘reviews, and other related information,’?? 
these could well identify a data subject. 


AutoRip Terms and Amazon EU S.à r.l. AutoRip (provision of MP3 versions I found this document only because one of 
Conditions** and Amazon Digital of eligible physical albums) and Amazon’s advisers mentioned it in passing as 
UK Ltd Amazon Music library an example of a service provided by one of 


229 
230 
231 
232 
233 
234 
235 
236 
237 
238 
239 
240 
241 
242 
243 


Amazon’s affiliates. 


Last updated on 23 May 2018 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201283870>. 

Last updated on 26 December 2017 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=200775270>. 
Last updated on 4 June 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201222340>. 
Unknown date, unknown parties, and unknown URL. The Fire TV app has been accessed on 2 October 2019 from an Android phone. 
Last updated on 12 April 2015 <legal.here.com/en-gb/terms>. 

Prime Now App’s Additional Terms, available only in-app. 

Updated on 8 March 2016 <legal.here.com/en-gb/terms/end-user-license-agreement>. 

Last updated on 13 June 2019 <legal-here.com/en-gb/terms/terms-for-here-products-and-services>. 

Last updated on 4 June 2019 <legal-here.com/en-gb/terms/here-mobility-terms>. 

Last updated on 7 June 2019 <legal-here.com/en-gb/terms/open-location-platform-terms>. 

Last updated on 7 June 2019 <legal.here.com/en-gb/terms/other-legal-information-and-notices>. 

Last updated on 8 July 2019 <legal-here.com/en-gb/HERE-X Y Z-Pro-Beta-Terms-and-Conditions>. 


Last updated on 23 May 2018 <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF8&nodeld=201544030>. 


ibid. 
Last updated on 1 October 2019 <www.amazon.co.uk/gp/help/customer/display.html?nodeld=201420350>. 
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Figure 2.4 ‘Screens’ to go through before accessing all of Prime Now’s legals. 


Global B.V.’s terms. Regrettably, these legals teem with casting-net provisions, that 
is, ‘mean-spirited contract provision|[s that] cast . . . a wide net that captures other con- 
tracts, leaving the consumer with the daunting task of reconciling possibly conflicting 
terms.” IoT consumers are bounced from one document to another, which questions 
whether consumers can be deemed to be bound by these terms. 


2.5.2.3 Controlled Interoperability 


This hyperservitisation leads to a multiplication of legals that is only matched 
by another characteristic of the IoT, namely, the interactions with third parties’ 
Things, software, and service. In the context of Echo, this takes the form of the 


244 Nancy S Kim, Wrap Contracts: Foundations and Ramifications (OUP 2013) 67. 
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Works with Alexa—certified products and the Alexa-compatible brands.?*° Interop- 
erability is regulated both by technological means (e.g. communication protocols) 
and by contractual ones (e.g. EULA).?* If this regulation is too strict, it can lead 
to closed systems that cannot work together, that is, the Internet of Silos. Unre- 
strained interoperability, conversely, can be perceived as leading to uncontrolled 
actions and data flows, with harms whose liability cannot be easily allocated. 

Amazon Echo can be controlled, control, and share data with over 60,000 third 
parties’ Things (e.g. Google Nest Thermostat and Samsung’s cleaning robot Pow- 
erbot) from more than 7,400 brands. Therefore, a consumer who would like to 
have a clear picture of their rights, obligations, and risks would be expected to 
find and read also these thousands of third parties’ legals. It is not very likely that 
this will happen, because the consumer would have to spend months, if not years, 
just looking for the legals and then try to understand their content, the relation- 
ships between them, and to endeavour to reconcile the inconsistencies. 

Controlled interoperability explains why another set of legals should be taken into 
account, namely, the developers’ legals. They govern how third parties’ developers 
can enable access to Amazon products and services in their own apps and devices. 
This contractual thicket has an influence on how personal data is processed, liability 
allocated, etc. They are also important because they regulate the interoperability of 
Amazon Echo with third-party products and services. Intricate liability issues stem 
from these (sometimes unforeseen) interactions. Of the twelve ‘developer legals,’ 
Table 2.3 focuses on the main documents consumers should be aware of. 

Other ‘developer legals’ include the Alexa Built-In Trademark Usage 
Guidelines,” Mobile Ad Network Program Participation Requirements,”*® 
Mobile Ad Network Publisher Agreement,” Works with Alexa — Program 
Guidelines,” Works with Alexa — Trademark Usage Guidelines,”>! Certified 
for Humans — Program Guidelines,” Program Materials License Agreement,” 
Trademark, Brand, and Marketing Guidelines,*** and Amazon Developer Ser- 
vices Portal Terms of Use.**° Their separate analysis is not necessary because 
they affect consumer rights only indirectly. 


245 The list is available at <developer.amazon.com/en-GB/alexa/connected-devices/compatible>. 

246 Developers must make sure that their app’s EULA complies with the requirements of the Amazon 
Developer Services Agreement (see clause 4(a)). 

247 Unknown date <developer.amazon.com/support/legal/alexa_built_in_ trademark _usage_guidelines>. 

248 Last updated on 31 August 2015 <developer.amazon.com/support/legal/mobileads/participation- 
requirements>. 

249 Last updated on 14 May 2018 <developer.amazon.com/support/legal/mobileads/terms-and- 
agreements>. 

250 Unknown date <developer.amazon.com/support/legal/wwa-program-guidelines>. 

251 Unknown date <developer.amazon.com/support/legal/wwa-trademark-usage-guidelines>. 

252 Unknowndate<developer.amazon.com/support/legal/certified-for-humans-program-guidelines>. 

253 Last updated on 22 August 2018 <developer.amazon.com/support/legal/pml>. 

254 Last updated on 17 May 2018 <developer.amazon.com/support/legal/tuabg>. 

255 Last updated on 24 May 2018 <developer.amazon.com/support/legal/tou>. 
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Table 2.3 Amazon Echo’s Key Developer Legals 


Name Parties Subject Matter Issues 
Amazon Amazon Digital All the apps, In Amazon’s lingo, 
Developer Services LLC, digital content, these are called 
Services Amazon Media EU and Things ‘skills.’ For 
Agreement?*° S.a.r.l., Amazon that embed example, LG is 
Services International Amazon’s likely to have 
Inc., Amazon service or agreed to this 
Servicos de Varejo software contract when 
do Brasil Ltda., developing its 
Amazon.com Int’! ThinQ Alexa- 
Sales Inc., Amazon enabled fridges. 


Australia Services 
Inc., Amazon Mexico 
Services Inc., and 
their affiliates 


Alexa Voice Unspecified More detailed Products are Alexa- 
Service rules regarding powered third- 
Program Alexa Voice party devices 
Requirements?” Service (AVS) and apps; the 

Products requirements 

and AVS apply also to these 

Components devices and apps’ 
components. 

Alexa Device Unspecified ‘[A]l] Devices, Very broad scope, 
Requirements?’ including AVS ranging from the 

Products, AVS prevention of 
Components, unlawful content, 
and Alexa e.g. pornography, 
Gadgets’? to the prevention 
of activities, e.g. 
unauthorised 
gambling. 


The developers’ legals present similar issues to the ones analysed in previous 
passages, that is, the multiplication of legals, the difficulty to find them, the lack 
of clarity as to the contractual parties, and the overcoming of traditional concepts 
of service and product. Additionally, their intricate web heavily controls interop- 
erability in a proprietary and closed way. To exemplify this, suffice it to say that 
developers are prevented from using open-source software, insofar as it requires 


256 Last updated on 14 February 2019 <developer.amazon.com/support/legal/da>. 

257 Unknown date <developer.amazon.com/support/legal/alexa/alexa-voice-service/terms-and- 
agreements>. 

258 Unknown date <developer.amazon.com/support/legal/alexa_device_requirements>. 

259 ibid. 
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Amazon to disclose or make available any software and materials.7°° It would 
be excessive to qualify Amazon’s approach as leading to the Internet of Silos. 
Indeed, the use of open source is, in principle, allowed.**! Nonetheless, it is a fun- 
damentally proprietary system that, as such, deprives consumers of the benefits 
of generalised interoperability. From the fact that Things are an amalgam of soft- 
ware, service, etc. follows that each component must be open for the Thing and 
the system to be open.?®? Open software will not suffice if it is not complemented 
by open hardware and open data. 

Understanding the interactions between Echo and third parties’ Things, soft- 
ware, and service is important to consumers also due to the rise of ‘prosumers,’ 
that is, the fourth determinant of the multiplication of legals in the IoT. 


2.5.2.4 Overcoming the Trader-Consumer Dichotomy: The 
Time of Prosumers 


We live in the time of prosumers, who ‘refuse the two-polar definition of growth 
economy knowing that every producer is also a consumer and every consumer is a 
producer.’*°? The overcoming of the consumer-trader binary — particularly evident 
in the ‘smart’ economy? — is also recognised by EU consumer laws that encom- 
pass dual-purpose contracts. Such a contract is concluded for purposes that are 
partly within and partly outside the person’s trade, if ‘the trade purpose is so lim- 
ited as not to be predominant in the overall context of the contract.’?& As Jeremy 
Rifkin put it, by leveraging the IoT, ‘[p]rosumers can . . . accelerate efficiency, 
dramatically increase productivity, and lower the marginal cost of producing and 
sharing a wide range of products and services to near zero, just like they now do 
with information goods.’*®© In light of the key role of prosumers in the IoT, Ama- 
zon Echo’s consumers, acting even temporarily in a professional capacity, will 
have to consider also the following 56 legals. 

These legals confirm the aforementioned issues and are of particular relevance 
to understand the death of ownership, as considered in Chapter 6. 


2.5.2.5 The Cloud of Things 


The fifth determinant of the staggering number of legals is the shift from IoT to 
the Cloud of Things, namely, the increasing reliance of Things on cloud comput- 
ing. In light of the limited processing capabilities of most commercially available 


260 Amazon Developer Services Agreement, 4(c). 

261 ibid 10(f). 

262 cf Alexander Kotsev and others, ‘Next Generation Air Quality Platform: Openness and 
Interoperability for the Internet of Things’ (2016) 16 Sensors 403. 

263 Uygar Ozesmi, ‘The Prosumer Economy—Being Like a Forest’ [2019] arXiv preprint 
arXiv:1903.07615. 

264 Rifkin (n 28) 163. 

265 Consumer Rights Directive, recital 17. 

266 Rifkin (n 28) 3. 
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Table 2.4 Amazon Echos Legals for Prosumers 


Name Parties Subject Matter Issues 
Non-Disclosure Amazon EU Confidential 
Agreement?” S.à.r.l. information 
and its disclosed to those 
affiliates who are engaged 


in or considering a 
business relationship 
with Amazon 


Non-Exhaustive Unspecified Registered trademarks Especially for prosumers, 


List of it is useful to know 
Amazon that Amazon has 237 
Trademarks?ć’ trademarks in the UK, 


including arguably not 
very distinctive signs, 
such as ‘bottom of the 
page’?® and °1-click’?” 


Non-Exhaustive Unspecified The list includes 104 Patents monopolise 
List of patents that apply to both tangible and 
Applicable Amazon.com and intangible inventions. 
Amazon to the features and See e.g. a ‘[s]ecure 
Patents and services accessible method and system for 
Applicable via the site. communicating a list of 
Licensed credit card numbers over 
Patents”! anon-secure network.’?”” 

Amazon Services Amazon Optional seller This agreement is 
Europe Services services, including complemented by 52 
Business Europe selling on Amazon, policies, agreements, 
Solutions S.à.r.l. sponsored ads, and guidelines, etc.” 
Agreement??? selling partner API that I will not analyse 


267 
268 
269 
270 
271 


272 
273 


274 


275 


because the agreement 
will usually prevail on 
them?” and because they 
are less directly relevant 
to consumers. 


Unknown date <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie=UTF 
8&nodeld=20202992>. 

Unknown date <www.amazon.co.uk/gp/help/customer/display.html?nodeld=200952730>. 
EU003367935, priority date 26 March 2003, owned by Amazon Europe Core S.à r.l. 
EU000865527, priority date 2 January 1998, owned by Amazon Europe Core S.à r.l. 

Last updated on 21 January 2011 <www.amazon.co.uk/gp/help/customer/display.html?nodeld= 
201909270>. 

US5715399 (A) — 1998-02-03, invented by Jeff Bezos and owned by Amazon.com, Inc. 

Last updated on 1 October 2019 <sellercentral.amazon.co.uk/gp/help/external/201190440? 
language=en_GB&ref=efph_201190440_cont_521>. 

Unknown date <sellercentral.amazon.co.uk/gp/help/external/help-page.html?itemID=521& 
language=en_GB&ref=efph_521_bred_201190440>. 

‘If there is any conflict between these General Terms and the applicable Service Terms and Pro- 
gram Policies, the General Terms will govern and the applicable Service Terms will prevail over 
the Program Policies’ (Amazon Services Europe Business Solutions Agreement, general terms). 


Table 2.5 Amazon Echo s Cloud-Related Legals 


Name Parties Subject Matter Issues 
AWS Customer Amazon Web Services Service offerings defined Despite the contractual party being Amazon Web Services 
Agreement?’ EMEA S.à.r.l. as ‘the Services EMEA S.à.r.l., affiliates are responsible for making 


AWS Service Terms?’ Unspecified 


AWS Acceptable Use Amazon Web Services 
Policy?*° Inc. and its affiliates 


AWS Privacy Notice?! Amazon Web Services 


EMEA Sarl. 


(including associated 
APIs), the AWS Content, 
the AWS Marks’?”7 

It deals with 89 services, 
including Alexa. 

Prohibits certain uses of 
the services and of AWS. 
Amazon.com 

Data processing in relation 
to any AWS websites, 
applications, products, 
services, and events 


available some contents, e.g. APIs. 

The document contains casting-net provisions as it refers to 
the AWS Service Terms for the definition of ‘services.’ 

It lists the services, but it does not define them. 

Some of the services come with additional terms.?” 

Broad scope, ranging from IP infringement to child 
pornography. 


Refers to the now-invalidated Privacy Shield, while 
declaring not to rely on it and stating that extra-EEA data 
transfers are done ‘in accordance with the terms of this 
Privacy Notice and applicable data protection law. ’?8? 


276 
277 
278 
279 
280 
281 
282 


Last updated on 20 April 2019 <aws.amazon.com/agreement/>. 


ibid, point 14. 


Last updated on 27 September 2019 <aws.amazon.com/service-terms/>. 
AWS services include inter alia Alexa Web Services, AI Services, and IoT 1-Click. 
Last updated on 16 September 2019 <aws.amazon.com/aup/>. 


Last updated on 10 December 2018 <aws.amazon.com/privacy/>. 
ibid, para ‘Additional Information for Certain Jurisdictions.’ 
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Table 2.5 (Continued) 


Name 


Parties 


Subject Matter 


Issues 


AWS GDPR Data 
Processing 
Addendum” 


AWS Site Terms?*® 


AWS Trademark 
Guidelines??? 


AWS Elemental 
Appliances and 
Software Terms of 
Service??? 


Unidentified ‘applicable 
Amazon Web Services 
contracting entity’*** 


Amazon Web Services 
Inc. and its affiliates 

Amazon Web Services 
Inc. or its affiliates 


Elemental Technologies 
LLC (subsidiary of 
Amazon Web Services) 


Standard Contractual 


Clauses providing a legal 


basis for cross-border 
data transfers?* 


Use of AWS.Amazon.com. 


It grants a limited licence 
to use of AWS-related 
trademarks 

Encoding, packaging, and 
delivery of video assets 
on premises 


283 Unknown date <d1.awsstatic.com/legal/aws-gdpr/AWS_GDPR_DPA.pdf>. 


284 ibid. 


285 European Data Protection Board, ‘Information Note on Data Transfers under the GDPR in the Event of a No-Deal Brexit’ (12 February 2019) <https://edpb.europa. 


eu/sites/edpb/files/files/file 1/edpb-2019-02-12-infonote-nodeal-brexit_en.pdf>. 


286 (n 113). 


287 AWS GDPR Data Processing Addendum, 12(2). 
288 Last updated on 30 August 2019 <aws.amazon.com/terms/>. 

289 Last updated on 14 September 2019 <aws.amazon.com/trademark-guidelines/>. 
290 Last updated on 6 August 2019 <aws.amazon.com/legal/elemental-appliances-software-agreement/>. 


Not mentioned in the AWS Privacy Notice, referred to only 
in the AWS Service Terms. 

It relies on the Standard Contractual Clauses without the 
identification of the supplementary measures mandated 
by Schrems II 786 

The Addendum provides that the Standard Contractual 
Clauses will not apply ‘if AWS has adopted Binding 
Corporate Rules . . . or an alternative recognised 
compliance standard,’?*’ but it does not inform the 
reader whether AWS has indeed adopted these rules, let 
alone explaining what this compliance standard is. 
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Things and of the wealth of data they produce, cloud computing appears to be 
the go-to solution for optimal processing capabilities.”?! In our case study, this 
takes the form of Amazon Web Services (AWS), which maintain the network- 
connected hardware required for cloud-enabled services; AWS are both provided 
to third parties and used internally in many of Amazon’s services. For example, 
alongside Alexa, another cloud-powered app is Amazon Chime, tool for online 
meetings and videoconferencing. This means that consumers will have to find, 
read, and understand also the following 97 legals. 

Additionally, one would need to consider the Service Level Agreements for 
each of the 89 AWS services,” such as the Alexa for Business Service Level 
Agreement.?°? 

Alongside the number of the cloud-related legals, their opaqueness, and their 
inconsistencies when it comes to international data transfers, the main criticisms 
are that they are US contracts — there is no UK- or EU-tailored version — and that 
they cannot be found in Amazon’s main legal policies section. 


2.5.2.6 The Wave of Sustainability 


Not all the determinants of the high number of legals in the IoT shed light on a 
concerning aspect of this sociotechnological phenomenon. Sustainability-related 
legals constitute a prime example of this. The idea of sustainability dates back 
to the eighties.2°* Most notably, in 1987 the World Commission on Environment 
and Development referred to it as a form of ‘development that meets the needs 
of the present without compromising the ability of future generations to meet 
their own needs.’*® This meant, for private companies, an increasing pressure to 
embrace forms of corporate social responsibility (CSR), whereby social, envi- 
ronmental, and economic issues are strategically integrated into all companies’ 
operational and capital investments decisions.**° In recent years, thanks to the 
increased awareness of the imperative to tackle climate change, sustainability has 
become more central, and it has been linked to state and nonstate actors’ obliga- 
tions to enforce and abide by human rights.**” An important role is being played 


291 See e.g. W Kuan Hon, Christopher Millard and Jatinder Singh, ‘Twenty Legal Considerations 
for Clouds of Things’ [2016] Queen Mary University of London, School of Law Legal Studies 
Research Paper No 216/2016; Guido Noto La Diega, ‘Clouds of Things: Data Protection and 
Consumer Law at the Intersection of Cloud Computing and the Internet of Things in the United 
Kingdom’ (2016) 9(1) Journal of Law & Economic Regulation 69. 

292 <aws.amazon.com/legal/service-level-agreements/>. 

293 Last updated on 19 March 2019 <aws.amazon.com/alexaforbusiness/sla/>. 

294 See Geir B Asheim, Sustainability (World Bank Publications 1994). 

295 World Commission on Environment and Development, Our Common Future (OUP 1987) 43. 

296 Michael Hopkins, CSR and Sustainability: From the Margins to the Mainstream: A Textbook 
(Routledge 2017) <https://search.ebscohost.com/login.aspx?direct=true&scope=site&db=nlebk& 
db=nlabk& AN=1592603>. 

297 See e.g. Gerhard Bos and Marcus Diiwell (eds), Human Rights and Sustainability (Routledge 
2016). 
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by the UN and their Guiding Principles on Business and Human Rights.’?8 IoT 
traders can play an important role to make sustainability a reality, for example, by 
adopting circular economy principles. Marco Ricolfi makes the example of self- 
driving cars, ‘not to be sold but leased, so that in accordance with the tenets of 
what is designated as “predictive maintenance” the supplier, who retains property, 
constantly receives all the information required to optimize product life cycles, 
including repairs, maintenance, replacements, etc.’”°? At the same time, the IoT 
constitutes a challenge for sustainability. The proliferation of Things can lead to 
a vertical increase in nonrecycling waste. More generally, IoT traders have been 
criticised for putting in place rather-unstainable practices. Amazon provides an 
excellent example of this. In 2013, a BBC investigation found that Amazon makes 
its staff work under unbelievable pressure in slave camp conditions.*° In 2018, 
there was evidence that Amazon workers were forced to urinate in bottles or skip 
bathroom breaks because fulfilment demands were too high.*°! These incidents 
are not isolated. For example, in 2019 Amazon’s supplier Foxconn was found to 
employ over 1,000 schoolchildren, who were reported to work night shifts and 
overtime.? 

This means that IoT traders have an interest to include in the contractual quag- 
mire documents that evidence their commitment to sustainability. In this context, 
the main legals that an Amazon Echo’s consumer will have to find and read are: 


¢ Supplier Code of Conduct.*°3 A typical CSR measure, this code aims at mak- 
ing sure that Amazon’s suppliers respect human rights and the environment 
and protect the fundamental dignity of workers.*™ The failure to comply with 
the code can lead to Amazon terminating the relationship with the supplier.*” 
e Modern-Day Slavery Statement. Unlike most CSR measures, this is a legal 
requirement, in particular imposed by the UK Modern Slavery Act.*°’ The 
latter obliges traders with a global turnover of at least £36 million, who carry 


298 United Nations Human Rights Council, resolution 17/4 of 16 June 2011. 

299 Marco Ricolfi, ‘IoT and the Ages of Antitrust’ (Nexa Center for Internet & Society 2017) Working 
paper nr 4/2017 6. 

300 Dave Lee, ‘Amazon Workers Face “Illness Risk” BBC News (25 November 2013) <www.bbc. 
com/news/business-25034598>. 

301 James Bloodworth, Hired: Six Months Undercover in Low-Wage Britain (Atlantic Books 2019). 

302 China Labor Watch, ‘Amazon’s Supplier Factory Foxconn Recruits Illegally’ (2019) <www.chi- 
nalaborwatch.org/upfile/2019_08_07/Amazon%20English%20Report%2008.09.pdf>. 

303 Unknown date <d39w7f4ix9f5s9.cloudfront.net/4d/80/9e68 1da64536a287f9e6582 | 6ff9/amazon- 
supplier-code-of-conduct-2019-09-18-2.pdf>. 

304 These standards are derived from the UN Guiding Principles on Business and Human Rights, the 
Core Conventions of the International Labour Organization (ILO), and the UN Universal Decla- 
ration of Human Rights. 

305 Amazon Supply Chain Standards, point 2. 

306 Unknown date <www.amazon.co.uk/gp/help/customer/display.html/ref=hp_left_v4_sib?ie= 
UTF8&nodeld=202151760>. 

307 S 54. 
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on a business or part of a business in the UK, to produce a slavery and human 
trafficking statement for each financial year.*% 


These documents will be of interest to the ‘ethical’ consumer who believes in sus- 
tainable consumption and demands human rights—compliant supply chains. 

Keeping public attention high is pivotal to ensuring that IoT multinationals 
deliver on their commitments to sustainability, human rights, and antislavery, 
which is in turn fundamental for a socially just IoT. 


2.6 Interim Conclusion 


I will conclude with some autoethnographic remarks. It took me over two weeks 
to identify the legals consumers are expected to find, read, and understand when 
using a Thing as simple as a speaker. Whilst Amazon’s ‘Legal Policies’ section 
groups seven legals,* consumers are left . . . to their own devices in their search 
for the remaining 24 core legals, to which one needs to add 55 Thing-as-a-Ser- 
vice-related legals, 12 developers’ legals, 56 legals for the prosumer, 97 cloud- 
related, and two that regard sustainability, for a total of 246 legals. And this is not 
even the full picture, because consumers should also take into account the legals 
of 7,400 third parties providing 60,000 Things that interact with Echo. Addition- 
ally, consumers should pierce the corporate veil and understand which of the hun- 
dreds of subsidiaries and affiliates is responsible for each functionality, service, 
etc. I found it impossible to have a clear picture of who these companies are and 
what they are responsible for, let alone finding their Echo-relevant legals. The 
analysis prior showed not only the issue of the staggering number of legals in the 
IoT but also two related issues, namely, the difficulty to identify the contractual 
parties — that amongst other things is crucial to successfully bring an action — and 
the fluidity of the contractual subject matter. Some legals purport to regulate the 
Thing by separating its hardware, software, service, and data components, but the 
way these components are on each occasion (re)defined — often by qualifying as 
‘service’ what would normally count as software, data, or hardware — confirms 
the initial thesis that Things are an inextricable mixture of these components. This 
is perhaps best illustrated by the Amazon Device Terms of Use, which would, in 
theory, regard the product as hardware, but most of their clauses are about ser- 
vices or data.>!° Similarly, Alexa Terms of Use regard the software and service 
components of Echo, but they affect the Thing as a whole, including its hardware 


308 Transparency in Supply Chains Etc. A Practical Guide. Guidance Issued under Section 54(9) of 
the Modern Slavery Act 2015 (Home Office 2015). 

309 These are the Non-Disclosure Agreement, the Modern-Day Slavery Statement, Miscellaneous 
Reporting, Conditions of Use Sale, Non-Exhaustive List of Applicable Amazon Patents and 
applicable Licensed Patents, Amazon.co.uk Privacy Notice, Non-Exhaustive List of Amazon 
Trademarks. 

310 For example, under the Amazon Device Terms of Use, point 2.b. ‘Some Services may be 
unavailable, vary (e.g.by device or geography), be offered for a limited time, or require separate 
subscriptions.’ 
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and data components. Indeed, should Amazon exercise its contractual power 
to discontinue Alexa at any time and at their sole discretion,*"! it would end up 
“bricking’ the speaker in its entirety. Echo as a whole would be affected because, 
without Alexa, Echo’s consumers would be left with a ‘dumb’ speaker. These 
conclusions about the number of ‘legals,’ the impossibility to identify the parties, 
and the inextricability of software, hardware, service, and data are in line with the 
findings of the similar study that in 2016 analysed Google Nest’s legals.*!* 

These weeks spent looking for Amazon Echo’s legals have seen me oscillat- 
ing between the excitement of finding something that could benefit consumers 
and the psychophysical discomfort over Amazon’s opaque private ordering of our 
lives. Every time I thought I found all the Echo-related legals, I was astonished 
by the realisation that new documents would frequently pop up, often even by 
accident, e.g. the stumbling upon an alarming passage in one of the core legals or 
an unclear sentence from a customer support adviser. These feelings of discomfort 
and astonishment made me interrupt this exploration many times, and I cannot 
imagine any user who would be willing to go through this experience. 

IoT traders invest considerable resources in the design of their interfaces to 
improve the user experience.*!? The key principle in web design is the principle of 
least astonishment, whereby ‘[i]f a necessary feature has a high astonishment fac- 
tor, it may be necessary to redesign the feature.’>!4 Based on this chapter’s analy- 
sis, it is recommended that IoT traders apply this principle also to their legals. 
This will mean to redesign the legals to reduce their number, group them in one 
place, increase their readability, decrease their length, improve their clarity (e.g. 
specifying who the contractual parties are and what the document’s subject matter 
is), their consistency (e.g. when it comes to international data transfers), and their 
fairness (e.g. by avoiding casting-net provisions). 

Building on this picture of the IoT’s consumer issues, the next chapter will 
investigate whether EU consumer contract laws can counter them, rebalance the 
business-to-consumer relationship, and ultimately empower consumers. 


311 Alexa Terms of Use, point 3.2. 

312 Noto La Diega and Walden (n 8). 

313 Claire Rowland and others, Designing Connected Products: UX for the Consumer Internet of 
Things (O’ Reilly 2015). 

314 MF Cowlishaw, ‘The Design of the REXX Language’ (1984) 23 IBM Systems Journal 326, 333. 


3 The Internet of Contracts 


The Tension between Consumer 
Contract Laws and IoT Imbalance 


The law can never be higher than the economic structure of society and the cul- 
tural development conditioned by it. 
K. Marx, Critique of the Gotha Programme 


3.1 Scope of the Chapter 


Despite the great benefits that the IoT can bring to consumers, the previous chapter 
has shown how this sociotechnological phenomenon threatens consumers’ safety, 
autonomy, self-determination, and privacy. This is done through a combination 
of ‘technological’ private ordering (e.g. opaque algorithms) and ‘legal’ private 
ordering, whereby private companies use contracts to take advantage of legal lacu- 
nae and the slowness of the lawmaking process, thus imposing unilaterally their 
own rules to market relationships. It becomes therefore crucial to critically assess 
whether IoT contracts can be re-engineered so as to better protect consumers. 

Over the years, EU laws have greatly contributed to rebalance business-to-con- 
sumer relationships mainly in two ways. Some laws have focused on consumer 
contracts, by imposing precontractual duties of information, banning unfair terms, 
and obliging traders to make sure that the product matches what was promised 
in the contract. Other laws have looked beyond the contract and tried to address 
the power imbalance in business-to-consumer relationships, especially by holding 
manufacturers liable for the defects in their products, regardless of any fault and 
of the existence of a contractual relationship, and by outlawing unfair commercial 
practices. 

This chapter will focus on the former set of laws, namely, EU consumer contract 
laws; the latter will be analysed in the next chapter. The next sections will first 
consider whether the Unfair Terms Directive can be invoked to tackle the IoT’s 
contractual quagmire. This chapter will then explore whether the issue of private 
ordering ‘by bricking’ can be addressed by consumer sales law, especially after 
a recent reform that is replacing the First Consumer Sales Directive! and pairing 


1 Directive 1999/44/EC on certain aspects of the sale of consumer goods and associated guarantees 
(‘First Consumer Sales Directive’) [1999] OJ L 171/12 will be replaced by Directive 2019/771 
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it with the Supply of Digital Content Directive.” Finally, it will be questioned 
whether the precontractual duties to inform under the Consumer Rights Directive 
(CRD) can address the challenges of ‘IoT Commerce’ to mandated disclosures, 
i.e., the tension between text-based notice-and-consent mechanisms and the real- 
ity of immersive, hyperconnected, interface-free transactional environments. 

With this in mind, this chapter will answer the following subquestion: can 
consumer contract laws curb the power imbalance in IoT business-to-consumer 
transactions? 


3.2 The IoT Overcomes Yet Another Binary: Unfairness of 
Substance and Unfairness of Form in the Smart Home 


IoT-generated data enables traders to personalise goods and services, thus poten- 
tially benefitting consumers. Amazon e.g. can ‘personalise content and fea- 
tures . . . including by showing you recommendations (as well as) continuously 
improve the Amazon devices and services.’ However, this wealth of granular 
knowledge also ‘facilitates data-driven exploitative contracting.’* This is exem- 
plified by Facebook Australia allowing its advertisers to target unstable and vul- 
nerable teenagers. Correspondingly, there has been a decrease in the amount of 
knowledge that consumers have about the traders, who increasingly rely on tech- 
nical and legal secrecy (e.g. ‘black box’ AI algorithms and trade secrets).° This 
exacerbates information asymmetry and, hence, power imbalance, which can lead 
to the imposition of unfair contractual terms. Arguably, the contractual quagmire 
is both the cause and the effect of such power imbalance. The following sections 
will investigate whether the contractual quagmire as such, as well as individual 
terms in Echo’s legals, fall foul of unfair terms laws. These laws focus on the 
balance of rights and obligations established between the seller or supplier of 
the product (hereinafter ‘trader’)’ and the consumer. The rules proceed on the 
assumption, corroborated by behavioural studies, that the consumer is in a weak 


on certain aspects concerning contracts for the sale of goods (‘Second Consumer Sales Directive) 
[2019] OJ L 136/28 as of 1 January 2022. 

2 Directive 2019/770 on certain aspects concerning contracts for the supply of digital content and 
digital services (Digital Content Directive) [2019] OJ L 136/1. 

3 Amazon Coins Terms, point 5 <www.amazon.co.uk/gp/help/customer/display.html?nodeld= 
201434520> accessed 23 May 2018. 

4 Philipp Hacker, ‘Personal Data, Exploitative Contracts, and Algorithmic Fairness: Autonomous 
Vehicles Meet the Internet of Things’ (2017) 7 International Data Privacy Law 266. 

5 Sam Machkovech, ‘Report: Facebook Helped Advertisers Target Teens Who Feel “Worth- 
less” (Ars Technica, 5 January 2017) <https://arstechnica.com/information-technology/2017/05/ 
facebook-helped-advertisers-target-teens-who-feel-worthless/>. 

6 Guido Noto La Diega, ‘Against the Dehumanisation of Decision-Making — Algorithmic Decisions 
at the Crossroads of Intellectual Property, Data Protection, and Freedom of Information’ (2018) 9 
JIPITEC 3. 

7 ‘Seller or supplier’ is the EU wording, ‘trader’ the UK one. Even though this book takes an EU 
perspective, I prefer the simpler and more encompassing ‘trader.’ 
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position both in their bargaining power and their level of knowledge,’ and provide 
a public law framework to remedy private law failings. These rules tackle both 
terms that are unfair in their content — unfairness ‘of substance’ — and terms whose 
form renders them unfair, typically because untransparent — unfairness ‘of form.’ 


3.2.1 Scope of the Unfair Terms Directive and Its Consequences for the 
Contractual Quagmire 


In the EU, the primary legislative reference in the field is Directive 93/13/EEC 
‘on unfair terms in consumer contracts,’ as amended by Directive 2019/2161 
(Omnibus Directive).° Transposed in November 2021, the national implementa- 
tion measures will apply from 28 May 2022.'° This reform is part of the ‘New 
Deal for Consumers’ package,'! which includes a directive on class actions for 
the protection of the collective interests of consumers (Representative Action 
Directive).!* This directive will have to be transposed by December 2022 and will 
oblige member states to put in place effective procedural mechanisms to allow 
qualified entities (e.g. consumer organisations or public bodies) to bring class 
actions, including the right to obtain injunctions and compensation.'? 

With the goal of updating and making consumer protection more effective,!4 
the main innovations of the Omnibus Directive are to have member states intro- 
duce effective penalties for infringements and fines of up to 4% of the trader’s 
annual turnover or, if the relevant information is not available, EUR 2 million. 
To this end, it amended the Unfair Terms Directive, the Unfair Commercial Prac- 
tices Directive, the CRD, and the Price Indication Directive,!® though no provi- 
sion on fines was inserted in the latter. With regards to the Unfair Terms Directive, 
the reform only introduced an obligation to introduce penalties and the afore- 
mentioned rule on fines.!” These are not particularly relevant from this book’s 
perspective and therefore will not be analysed, but more will be said on the reform 
when dealing with the CRD and the Unfair Commercial Practices, which are more 
profoundly affected by it. 


8 Case C-484/08 Caja de Ahorros v Ausbanc [2010] 3 CMLR 43. 

9 Directive 2019/2161 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC 
and 2011/83 as regards the better enforcement and modernisation of Union consumer protection 
rules (‘Omnibus Directive’) [2019] OJ L 328/7. 

10 Omnibus Directive, art 7. 

11 European Commission, ‘Communication “A New Deal for Consumers” (2018) COM/2018/183 
final. 

12 Directive 2020/1828 on representative actions for the protection of the collective interests of con- 
sumers and repealing Directive 2009/22/EC [2020] OJ L 409/1. 

13 Representative Actions Directive, arts 7—9, 24. 

14 Omnibus Directive, recitals 1, 2, and 25. 

15 Omnibus Directive, art 1 (with regards to the Unfair Terms Directive), 3(6) (with regards to the 
Unfair Commercial Practices Directive), and 4(13) (with regards to the CRD). 

16 Directive 98/6/EC on consumer protection in the indication of the prices of products offered to 
consumers [1998] OJ L 80/27. 

17 Unfair Terms Directive, art 8b, as inserted by Omnibus Directive, art 1. 
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The Unfair Terms Directive tackles the unfairness of standard contracts; it does 
not apply to terms that have been negotiated individually.'® Indeed, this instru- 
ment aims at offsetting the weak position consumers find themselves vis-a-vis 
traders, as such position, the CJEU reiterated in de Grote, ‘leads to the consumer 
agreeing to terms drawn up in advance by the seller or supplier without being able 
to influence the content of those terms.’'? Most online transactions appear not 
to be negotiated individually, and this is exacerbated by the IoT, which leads to 
an increased distance ‘between consumers and the contract formation process.’?° 
Preformulated standard contracts, such as Echo’s legals (and most IoT ‘legals’), 
are the primary object of this regime — this was recently confirmed by the CJEU 
in VKI v Amazon,”' regarding the unfairness of Amazon.de’s general terms and 
conditions. 

Unfair terms are not binding on the consumer unless the consumer objects.?? 
Consumers can initiate judicial proceedings or rely on forms of public enforce- 
ment through actions by regulators, e.g. the Competition and Markets Author- 
ity and Trading Standards Services. Whilst the term that is found to be unfair is 
declared nonbinding, the rest of the contract retains its validity, unless the agree- 
ment is not capable of continuing in existence without the unfair term.” This was 
the case in GT v HS*4 when the unfair term defined the main subject matter of the 
agreement; accordingly, its unfairness was at the core of the contract and invali- 
dated it in its entirety. The recent Abanca Corporación Bancaria” well illustrates 
the consequence of a finding of unfairness. The case regarded a mortgage loan 
contract that provided for the early termination in the event that the debtor missed 
a single monthly loan repayment (so-called accelerated repayment clause). The 
referring court questioned whether, should an early repayment clause be deemed 
unfair, it might nonetheless be maintained in part, with the elements which made 
it unfair removed. The court moved from the observation that the directive rem- 
edies the weakness of the consumer by considering unfair and hence nonbinding 
terms that are contrary to good faith, imbalanced, and/or intransparent.*° There is 
no doubt in the case that the early termination and repayment of the loan where 
the debtor missed a single monthly repayment is not in good faith, and it leads to 
a significantly imbalanced relationship. Therefore, it is unfair. The problem was 


18 Unfair Terms Directive, art 3(2). 
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Beyond’ (2015) 44 Hofstra Law Review 839. 

21 Case C-191/15 Verein fiir Konsumenteninformation v Amazon EU Sarl [2016] 7 WLUK 797 [63]. 
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23 Unfair Terms Directive, art 6(1). 
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[2019] 3 WLUK 424. 
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that, according to case law dating back to Banco Español de Crédito,” national 
law cannot allow national courts to modify that contract by revising the content of 
the unfair term. Such power is seen as adversely affecting the ‘dissuasive effect’ 
of the Unfair Terms Directive in that traders 


would still be tempted to use those terms in the knowledge that, even if they 
were declared invalid, the contract could nevertheless be modified, to the 
extent necessary, by the national court in such a way as to safeguard the inter- 
est of those (traders).7® 


It follows, in the CJEU’s reasoning, that the early repayment clause is invalid 
in its entirety and the mere removal of the ground for termination, with the rest 
of the term remaining binding, would ‘ultimately be tantamount to revising the 
content of those terms by altering their substance.’?? However, national courts 
have some replacing powers when the invalidity of the unfair term would lead to 
annul the entire contract, thus exposing the consumer to ‘particularly unfavour- 
able consequences.” In such scenarios, the court can replace the term ‘with a 
supplementary provision of national law’+! that in Abanca Corporación Bancaria 
made it possible for mortgage loan contracts to be terminated prematurely after 
the debtors failed to pay at least three monthly repayment instalments.*? 

This is consistent with the directive’s objective to re-establish equality between 
the parties, not to annul all contracts containing unfair terms. Equally, this is con- 
sistent with the aforementioned ‘dissuasive effect,’ because should this judicial 
power to replace unfair terms not be recognised — hence the invalidity of the entire 
loan contract — the consumer would have to transfer the outstanding balance forth- 
with. This would penalise the consumer rather than the lender, who, ‘as a conse- 
quence, might not be dissuaded from inserting such terms in its contracts.’*? There 
is no definition of the ‘unfavourable consequences’ that allow courts to replace 
unfair terms — as opposed to simply declaring them nonbinding, with potential 
invalidity of the contract as a whole. However, the argument could be put forward 
that once a consumer builds a smart home around Alexa and Echo, if its legals 
are declared invalid because one or more of its terms are unfair, the downgrading 
that would follow from being cut out of all the smart home-related benefits could 
amount to such ‘unfavourable consequence,’ creating margins of judicial manoeu- 
vre. Therefore, courts may intervene to replace unfair terms with fair ones in order 
to preserve the ‘smartness’ of the Thing or of the IoT system (e.g. smart home). 


27 (n 22) [73]; Case C-26/13 Árpád Kasler and Hajnalka Kaslerné Rábai v OTP Jelzélogbank Zrt 
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Consumers are not expected to contest a term’s unfairness; indeed, the CJEU 
held in Pannon* and confirmed in Bucura* that national courts must examine, 
of their own motion, the unfairness of a contractual term if they have available 
to them the legal and factual elements necessary for that task. The rationale of 
this principle — called ex officio control of unfair terms — is to compensate for the 
structurally weaker position of consumers, who may not be aware of their rights 
and may, consequently, not raise the unfairness of contract terms.*° The court’s 
obligation to assess unfair contract terms of its own motion applies also to the 
terms that are connected to the subject matter of the dispute, as recently decided 
in Lintner. According to the CJEU, a court must examine of its own motion ‘those 
terms which are connected to the subject matter of the dispute, as delimited by the 
parties.’>7 This means that national courts must take into account all the contrac- 
tual terms — arguably in all the legals, even the unchallenged ones — to assess the 
unfairness of the term forming the basis of the claim, but they do not have to exam- 
ine of their own motion whether or not all those terms are unfair. In the IoT, this 
judicial power is likely to be useful as it will allow courts to examine the whole 
web of legals, thus freeing the consumer from the contractual quagmire. 

The rule of the own-motion review has one exception that has to be construed 
narrowly,** namely, if the term reflects a specific and mandatory statutory or regu- 
latory provision, as stated in Aqua Med? applying OTP Bank.” These are two dis- 
tinct requirements, as ruled in Kanyeba*! and Gómez del Moral Guasch.” First, 
the contractual term must reflect a statutory or regulatory provision, and secondly, 
that provision must be mandatory. These provisions are defined as ‘provisions of 
national law that apply between the parties to the contract independently of their 
choice and to provisions that apply by default, that is to say, in the absence of 
other arrangements established by the parties in that regard.’* Terms reflecting 
these provisions are outside the scope of the directive.4 For example, in Roundlis- 
tic Ltd v Jones,“ under the Leasehold Reform, Housing and Urban Development 
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Act 1993, the lessor was obliged to grant a new lease; the UK regulations that 
transposed the Unfair Terms Directive did not apply.*° 

Therefore, in principle courts faced with the alleged unfairness of terms in IoT 
legals have to examine of their own motion the entire network of contracts as it is 
likely that a large number of terms in the IoT’s contractual quagmire are in some 
way connected to the subject matter of the dispute. Indeed, we have seen in the 
previous chapter how in IoT contracting casting-net provisions abound and that 
virtually all legals affect the Thing as a whole, despite their attempt of regulating 
only one of its components, e.g. software. In intervening ex officio, courts will 
have to be open to rewrite the term — not simply to declare it nonbinding — as the 
more the IoT becomes an integral part of our life, the more being cut out of it must 
be regarded as an unfavourable consequence that calls for judicial re-engineering 
of contracts. 

The directive elaborates two different, albeit intertwined, types of unfairness: 
‘of substance’ and ‘of form.’4” Prima facie, the main focus of the directive is on 
the former, that is, on the assessment of whether the content of a contractual term 
signals a significant imbalance of rights and obligations.** Unfairness of form, in 
turn, looks more closely at issues of transparency.’ The next section will consider 
issues of substance, whilst those of form will be analysed in the following one. 


3.2.2 Unfairness of Substance: Terms That, Contrary to the Requirement of 
Good Faith, Cause a Significant Imbalance in the Parties’ Rights and 
Obligations 


A term is considered unfair if, ‘contrary to the requirement of good faith, it causes 
a significant imbalance in the parties’ rights and obligations arising under the con- 
tract, to the detriment of the consumer.’*° The European Commission?! breaks the 
unfairness test into two requirements: lack of good faith and significant imbalance. 

Good faith embodies a ‘fair and open dealing’ principle, with regards to 
how the contract is drafted, presented, negotiated, and carried out. As observed 
in Aziz,™ there is good faith if the trader, ‘dealing fairly and equitably with the 
consumer, could reasonably assume that the consumer would have agreed to such 
a term in individual contract negotiations.’°4 The concept of good faith is not a 
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subjective one, in the sense that courts do not need to assess if the trader was 
aware that a contractual term could harm the consumer.» It is an objective con- 
cept, ‘linked to the question of whether, in light of its content, the contract term in 
question is compatible with fair and equitable market practices.’*° The directive*” 
makes it clear that good faith and significant imbalance are closely intertwined, as 
in making an assessment of good faith, courts must have regard: 


(1) To the strength of the bargaining positions of the parties; 

(ii) Whether the consumer had an inducement to agree to the term and whether 
the goods or services were sold or supplied to the special order of the con- 
sumer; and 

(iii) Whether the trader dealt fairly and equitably and took into account the con- 
sumer’s legitimate interests. 


In the IoT context, and keeping in mind the empirical analysis in the previous 
chapter, there is little doubt that IoT traders’ data power put them in a strong bar- 
gaining position, and it weakens the consumers’ position, as traders can exploit 
consumers’ vulnerabilities and biases.>* It can also be said that unilaterally sub- 
merging the consumer with countless legals is not an open and equitable practice 
and disregards the consumer’s interests. Arguably, therefore, the IoT’s contractual 
quagmire is contrary to good faith, and the first requirement of the unfairness test 
is made out. 

It has been suggested® that the requirements are so closely linked that, at a 
closer look, good faith is not a separate condition for the unfairness of a contract 
term, and what matters is only the significant imbalance. However, the CJEU and 
Commission do not support this interpretation;® therefore, the significant imbal- 
ance requirement will be separately considered. 

There is a significant imbalance, as stated in Director General of Fair Trading 
v First National Bank, ‘if a term is so weighted in favour of the (trader) as to tilt 
the parties’ rights and obligations under the contract significantly in (the former’s) 
favour.’°! An example of imbalance provided in Andriciuc® is a loan agreement 
where the exchange rate risk is borne entirely by the consumer. A good indication 
that this requirement is made out is when the term places the consumer in a legal 
position that is less favourable than the one ordinarily provided for by the law.°? 
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Courts have to compare the relevant contract term with any rules of national law 
which would apply in the absence of the contract term.® For example, the fact 
that a contract deviates from a law setting out conditions under which penalties, 
such as default interest, may be requested may indicate a significant imbalance.® 
Where there are no such statutory provisions, the imbalance will be assessed in 
light of other points of reference, such as ‘fair and equitable market practices or a 
comparison of the rights and obligations of the parties under a particular term.’ 
As held in Constructora Principado,® the chief question is whether the significant 
imbalance results from a ‘sufficiently serious impairment of the legal situation in 
which the consumer . . . is placed by reason of the relevant national provisions.’®® 
This does not necessarily refer to an economic imbalance. For instance, a term 
that imposes the payment of a tax on a consumer, whereas under national law this 
tax should be borne by the trader, qualifies as significant imbalance, regardless 
of the amount that the consumer will have to pay.® The imbalance can be also 
nonfinancial, e.g. if a privacy policy allows the trader to pass on information it 
holds on the consumer more widely than it would be permitted under the GDPR.” 

Although there is no EU guidance on whether the detriment to the consumer is 
a distinct requirement, at a national level the prevailing option is that actual harm 
is not required. This is the case in the UK, where the Competition and Markets 
Authority”! clarified that what matters is that the imbalance is practically signifi- 
cant and therefore a potential harm will suffice. Terms can be challenged if they 
could be used to cause consumer detriment, regardless of whether they are being 
used so as to produce that outcome in practice. This is also the case in Italy. Whilst 
the Italian version of the directive refers to ‘danno’ (damage, harm), the relevant 
implementation measure” more generically provides that the significant imbal- 
ance must regard the consumer ( ‘a carico’), which means that a significant imbalance 
that is contrary to good faith is presumed to be inherently harmful.” 

The unfairness of a term has to be assessed taking into account:”4 


(1) The nature of the goods or services to which the contract relates; 
(ii) All the other terms of the contract or of another contract on which the former 
is dependent; 
(iii) All the circumstances attending the conclusion of the contract. 
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If we apply the first factor to the IoT, all points in the direction of a likelihood of 
a finding of unfairness. IoT contracts regard products that are complex to under- 
stand and that can be used to increase and leverage the power imbalance between 
trader and consumer. In the contractual quagmire, one needs to consider the con- 
nection between a term and all the other terms provided in extremely long and 
countless legals. Coming to the circumstances attending the conclusion of the 
contract, as stated in Andriciuc,” they have to be interpreted broadly, as inclu- 
sive of all the ‘circumstances which could have been known to the (trader) at 
that time . . . taking account, in particular of the expertise and knowledge of the 
(trader).’’° IoT traders have a wealth of knowledge about both the Thing and the 
consumer — Amazon e.g. may know if you have a tendency to impulsive buying” 
and could leverage it. The higher the knowledge on the side of the company, the 
stricter the assessment of the unfairness of the terms. 

The directive is accompanied by a list of terms that may be considered unfair.’* 
An example is terms that limit a trader’s liability in the event of a consumer’s 
death or personal injury to the latter resulting from an act or omission of that 
trader.” Although the inclusion in the list is an essential element on which the 
unfairness assessment may be based, courts have to verify if the good faith and 
significant imbalance requirements are made out on a case-by-case basis.*° This is 
usually referred to as ‘grey list,’®! to distinguish it from the blacklist of terms that 
are unfair in all circumstances, without the need for a case-by-case assessment. 
Indeed, since the directive follows the principle of minimum harmonisation, 
member states can introduce stricter rules.” Belgium, Bulgaria, Czech Republic, 
Germany, Greece, Spain, France, Italy, Luxembourg, Hungary, the Netherlands, 
Austria, Portugal, Slovakia, and the UK provide such blacklists.*? Under the UK 
Consumer Rights Act 2015 (CRA),* contract terms seeking to exclude or restrict 
statutory rights and any remedies are not binding on the consumer without the 
need to apply the fairness test. 

In our scenario, it is worth noting that, in the grey list, we find also terms ‘irre- 
vocably binding the consumer to terms with which (they) had no real opportunity 
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of becoming acquainted before the conclusion of the contract.’® This provision 
seems particularly suitable for the contractual quagmire, where traders expect 
their terms to be binding, despite the fact that they are hard to find and read, let 
alone understand. Grey-listed terms merely indicate terms that may be unfair, 
but one needs still to assess whether they are contrary to good faith and lead to 
a significant imbalance of rights and obligations. Indeed, as held in Freiburger 
Kommunalbauten,®* it is for the national authorities to assess the unfairness of 
specific contract terms in light of the specific circumstances of each case. There- 
fore, to answer the question of whether the contractual quagmire instantiates 
unfairness of substance, the next section will look at how UK authorities have 
dealt with the unfairness of Amazon’s legals. 


3.2.3 The Competition and Market Authority’s Review of Cloud Storage 
Unfair Terms and the Incentives Hierarchy 


Between 2015 and 2017, the UK Competition and Market Authority reviewed 
whether cloud storage providers were complying with consumer protection law.87 
This led Amazon Media EU S.a.r.l., provider of the cloud storage service then 
branded as Amazon Drive (now Photos), to commit to rewrite its contract terms. 
The company recognised that certain terms needed to be changed to make Ama- 
zon Drive (now Photos) Terms of Use fair.8* The main problem with this initiative 
is that it focused only on one of the ‘legals,’ ignoring the way the legals interrelate 
within Amazon’s web of contracts. It is also problematic that the enquiry targeted 
only one of Amazon’s traders, without considering the role played by subsidiaries 
and affiliates. The new provisions introduced in Amazon Drive Terms of Use as 
a consequence of the Competition and Markets Authority’s review can be used as 
analytical tool to assess if unfair terms are still present in other Echo legals. The 
focus will be on two crucial points: changes to service and liability. 


1. Material changes to the service can only be made for valid reasons clearly 
set out in the contract terms. As a consequence of the enquiry of the Compe- 
tition and Markets Authority, the Drive Terms have been amended and now 
permit changes to the services only ‘for legal or regulatory reasons; for secu- 
rity reasons; to enhance features of the Services; to reflect advancements in 
technology; to make reasonable technical adjustments to the Services; and 
to ensure the ongoing operability of the Services.’®° A similar provision is 
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now present in Prime Terms;™ however, the same does not apply to the other 
legals. For example, under the Device Terms: ‘We may change, suspend, or 
discontinue the Services, or any part of them, at any time. We may amend 
any of this Agreement’s terms at our sole discretion.”®' Similarly, in Alexa 
Terms of Use” and in the Conditions of Use,” there is no setting out of valid 
reasons. 

Consumers shall receive reasonable advance notice of material changes to 
the service. On this point, Amazon responded to the enquiry by amending 
the Drive Terms, which now provide that ‘[they] will inform [users] a rea- 
sonable period in advance of any material changes becoming effective.’ 
A similar provision, albeit less favourable to the consumer, can be found in 
Prime Terms, where Amazon commits to ‘inform [users] in due form and 
time.’®> This is less favourable because the information does not have to be 
provided necessarily before or with the changes. The Device Terms and the 
Alexa Terms are even less favourable as thereunder changes are not com- 
municated; they are simply made ‘by posting the revised terms on the Ama- 
zon.co.uk website.” At the bottom, in terms of the degree of fairness, are 
the Conditions of Use: they do not even require the posting of the changes. 
Indeed, users ‘will be subject to the terms and conditions, policies and Condi- 
tions of Sale in force at the time that [they] order products from [Amazon].’®’ 
This term is complemented by the caveat ‘unless any change . . . is required to 
be made by law.’®® These generic terms do not meet the transparency require- 
ments, and as their language is not plain and intelligible, courts will be able 
to assess the unfairness of the main subject matter of the contract and of the 
price. They could also be regarded as unenforceable under general contract 
law, as they are vague.” 

Consumers who do not wish to accept material changes to the service must 
be able to cancel the contract and obtain a refund for services not yet pro- 
vided. After the intervention of the Competition and Markets Authority, the 
Drive Terms have been changed, and now consumers can reject the changes 
to the service by terminating the contract, and they will receive a prorated 
refund of any fees paid.'°° This can be seen as equivalent to Prime Terms’ 
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‘partial refund of this membership fee based on benefits usage.’!°! No refund, 
conversely, is provided by Device Terms,!° Alexa Terms,! Conditions of 
Use.!™ 


The new Drive Terms’ provisions regarding the changes to the service (points 1, 
2, and 3 prior) ‘shall prevail over . . . the Amazon.co.uk Conditions of Use to the 
extent of any conflict or inconsistency between the two terms.’! This is another 
casting-net provision that would require the consumer to find and read two sepa- 
rate ‘legals’ and compare them to try to understand if they are consistent. Better 
would have been if Amazon directly changed all its legals to ensure consistency 
and fairness across all the provisions regarding changes to service. 

Unilateral and arbitrary changes are likely to be unfair, and the prior analysis 
inter alia confirmed the accuracy of the prediction whereby the IoT will ‘likely 
lead businesses to further take advantage of consumer ignorance and apathy by 
including one-sided contract terms, such as unilateral amendment provisions.’ 1%% 
Whilst there is not sufficient evidence that consumers are indeed apathetic, it can 
be accepted that the IoT’s data flood is increasing the opportunities to impose 
unfair unilateral terms — and, correspondingly, disenfranchising consumers who 
do not feel like they can challenge IoT traders’ practices. 107 


4 Amazon’ liability will not be excluded or limited if it fails to provide the 
service with reasonable skill and care. Since the terms that regard liability in 
the main Echo legals refer to the Conditions of Use, it can be useful to start 
by looking at the latter. Amazon disclaims liability for interrupted and flawed 
services, blaming it on ‘the nature of the internet’!°* (sic!). They also refuse 
liability for losses that are not cause of a breach on their part, business losses, 
indirect or consequential losses. The exclusion of consequential losses can be 
regarded as unfair because the legal meaning of ‘consequential’ is different to 
the ordinary one; this divergence may mislead consumers into thinking that 
‘they have no claim for any loss which is a consequence of a trader’s breach 
of contract.’!°? Moreover, it is unfair to exclude certain losses only because 
they do not flow directly and naturally from the trader’s breach; e.g. the con- 
sumer is entitled to compensation if they told the trader about a risk and the 
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latter did not put in place measures to avoid them. Conversely, Amazon’s 
disclaimer of liability for breach of contract is not necessarily unfair if it is 
limited to the breach arising ‘from any cause which is beyond [Amazon’s] 
reasonable control.’!!° Indeed, terms excluding rights to redress for breach 
of contract may be unfair, but only if such exclusion is inappropriate;!!! the 
exclusion of liability for breaches beyond the trader’s control seems appro- 
priate. Similarly, it is fair to limit liability for death or personal injury to neg- 
ligence or wilful misconduct. It may be useful to recall that, under the grey 
list of terms that may be unfair, traders can exclude or limit liability for death 
or personal injury, as long as these do not result from an act or omission of 
the trader.!!? The closing, finally, is both unfair and lacking transparency, !!% 
in that it merely refers to the fact that the laws of some countries may not 
allow some liability limitations, in which case ‘you might have additional 
rights.’!!4 This is in violation of RWE Vertrieb,'!> inasmuch as it outlawed the 
practice to refer generically, without any details, to laws determining rights 
and obligations. 


In the review conducted by the Competition and Market Authority, it was agreed 
that it would be unfair to exclude or limit liability if the company fails to provide 
the service with reasonable skill and care.!!6 Accordingly, the revised version of 
the Drive Terms reads: 


Amazon will exercise reasonable care and skill in providing the Services to 
you and... we will not limit our liability to you in respect of losses you incur 
that arise as a direct result of our failure to do so.!!7 


Here Amazon only partly followed up to its commitments with the Competition 
and Markets Authority; indeed, the quoted term is caveated by ‘unless other- 
wise excluded below.’!!8 This means that the broader, and partly conflicting, 
disclaimer of warranties and limitation of liability in the Conditions of Use may 
prevail on the Drive Terms, thus affecting liability in the provision of Cloud of 
Things services. What is worse, the Drive Terms add other limitations, e.g. for 
the losses that are not excluded, ‘Amazon’s liability to you for compensation 
(including any statutory right to obtain a refund) will be limited to the amount 
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you paid (if any) for your then current Service Plan.’''? Under the Prime Terms, 
in turn, Amazon accepts liability for gross negligence, wilful misconduct, and 
breach of its obligations under the terms ‘which are essential for the provision 
of Prime and which you rely on when joining Prime,’!”° with the exclusion of 
unforeseeable losses. At a first look, this is a fair term, but it refers generically 
to the Conditions of Use, and therefore it may be construed as inclusive of the 
latter’s disclaimers and limitations. The precision that ‘your statutory rights as 
a consumer’!”! will not be affected is of little help; as noted by the Competition 
and Markets Authority, the ‘mere addition of a statement that statutory rights are 
unaffected, without explanation, cannot make such a term acceptable.’!”* The 
terms are even more unfair in the remaining legals. Under the Device Terms, 
the device ‘may be subject to a limited warranty,’ unless ‘otherwise provided by 
Amazon.’ A vague and arguably unenforceable provision that is paired with a 
compensation cap of £50, in addition to ‘the amount you paid for your Amazon 
Device,’!? without specifying whether Amazon is liable for lack of skill and 
care. These terms are without prejudice to the disclaimers and limitations of the 
Conditions of Use, and so are the Alexa Terms, which carry a liability provision 
that resembles the Device Terms’ one, this time with a £50 cap. Caps on available 
compensation limit on the trader’s liability, and if ‘a contract is to be fully and 
equally binding on both trader and consumer, each party should be entitled to 
full compensation where the other fails to honour its obligations.’!*4 Therefore, 
these caps, although not automatically blacklisted as unfair, are ‘under strong 
suspicion of unfairness.’ !?° 

Public enforcement and, more generally, public scrutiny over IoT platforms’ 
private ordering are a positive step in the direction of a more trustworthy IoT. 
However, initiatives such as the UK Competition and Markets Authority’s 
review of cloud storage contracts have their drawbacks. First, they do not con- 
sider that the cloud is integrated in more complex services and products. Having 
traders change their cloud contracts without intervening on the rest of legals 
does not help consumers, because the latter’s rights and obligations remain neg- 
atively affected by the interrelations with those legals that are left untouched. 
Second, the assessment of the fairness of Echo’s legals suggests that there is 
a hierarchy of incentives IoT traders respond to (Figure 3.1). Indeed, as seen 
above, it has been noted that the Drive Terms present the highest degree of fair- 
ness, followed by Prime Terms, Device Terms, Alexa Terms, and Conditions of 
Use. This suggests that there is a hierarchy of incentives, in the sense that IoT 
traders are: 
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Figure 3.1 The IoT’s hierarchy of incentives. 


(i) More likely to treat consumers fairly as a response to public pressure (e.g. a 
regulator publicly reviewing their terms, see the Drive Terms); 

(ii) Somehow likely to be fair as a response to financial incentives (e.g. the 
Prime subscription and the price of the Thing, see Prime Terms and Device 
Terms respectively); and 

(iii) Less likely to be fair to the average consumer that ‘pays’ with their personal 
data (Alexa Terms and Conditions of Use). 


Lawmakers and regulators should keep into account the above analysis when 
choosing how to intervene to make IoT transactions fairer. Public pressure (reviews, 
inquiries, etc.) seems more likely to obtain a positive result, provided that they 
are aware of the IoT’s contractual quagmire and, in particular, of the interactions 
between the components of the Thing, between Things within an IoT system, and 
between the relevant providers that may be subsidiaries of the main trader or hardly 
identifiable third parties. Positively, public actions leading to changes in contractual 
terms are becoming more common. In October 2019, the European Data Protection 
Supervisor published the preliminary results of its enquiry underlining ‘serious con- 
cerns over the compliance of the relevant contractual terms with data protection rules 
and the role of Microsoft as a processor for EU institutions.’!?° After a month, work- 
ing with the Dutch Ministry of Justice, which had reached similar conclusions,!”’ 
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Microsoft updated its privacy provisions in the Microsoft Online Services Terms!”8 
in their commercial cloud contracts.!?° Arguably, the company took advantage of 
the policymakers’ lack of awareness of the IoT’s contractual quagmire — and the 
relevant interconnection between contracts — therefore, the update of only some 
provisions of one of the ‘legals’ risks being ineffective. 

This analysis illustrated some of the manifestations of unfairness ‘of substance’ 
in the IoT. Instances of unfairness ‘of form’ are no less concerning, as the next 
section will show. 


3.2.4 The Importance to Design the Legals in a Plain and Intelligible Way 


In addition to the fairness test (good faith and significant imbalance) and the non- 
exhaustive grey list, the Unfair Terms Directive contains transparency require- 
ments. They have a threefold function: 


(i) Terms that are not drafted in plain, intelligible language have to be inter- 

preted in favour of the consumer.'*° 

(ii) The main subject matter of the contract or the adequacy of the price and 
remuneration are normally excluded from the unfairness test. However, the 
fairness of these ‘core’ terms will be open to assessment if they are not in 
plain, intelligible language."*! 

(iii) The lack of transparency can be an element in the assessment of the unfair- 
ness of a given contract term!?? and can even indicate unfairness — unfairness 
‘of form.’!* 


Although transparency plays an important role, member states do not have 
an obligation under the directive to regard opaque terms as unlawful per se.!*4 
Conversely, in the UK, transparency is also a ‘requirement in its own right, 
breach of which can lead to enforcement action.’!*> Similarly, the German 
Civil Code expressly links the lack of transparency and significant imbal- 
ance.!*° Under EU law, opaque terms can be fair,!*’ and transparent terms can 
be unfair. 138 
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Transparency means that terms should be drafted in a way that ensures ‘that 
consumers can make informed choices.’'*? Arguably, Things may appear as sim- 
ple entities, but in reality, they are complex due to their reliance on new tech- 
nologies, their being a mixture of hardware, software, service, and data, and their 
multilayered supply chain. Their complexity makes it difficult for consumers to 
understand them and to make an informed transactional decision. In addition, they 
provide IoT traders with unprecedented opportunities to track, profile, influence, 
and exploit consumers. This requires careful contractual drafting to ensure trans- 
parency and a balance of rights and obligations. 

The unfairness ‘of form’ is linked to the duty to draft terms ‘in plain intelligible 
language.’'*° These issues are ‘of form’ in the sense that it is the manner in which 
the contract is presented to the customer that is being considered. Contrary to pop- 
ular belief, ‘formal unfairness’ is in fact of the essence. Indeed, as mentioned above 
with regards to the second function of the transparency requirement, the assess- 
ment of the unfair nature of the terms does not ‘relate neither to the definition of the 
main subject matter of the contract nor to the adequacy of the price and remunera- 
tion, on the one hand, as against the services or goods supplies in exchange, on the 
other.’!4! An example of a term that would usually escape an unfairness assessment 
is a term in a loan agreement that determines how the amount of the loan is to be 
established, as was the case in GT v HS.'** However, if these ‘core’ terms are not 
drafted in plain, intelligible language, the unfairness assessment will include both 
the definition of the main subject matter and the adequacy of the price. As recently 
held in Gómez del Moral Guasch,'* regardless of whether a member state availed 
itself of the option to provide that the assessment of the unfairness of a term is not 
to relate to the definition of the main subject matter of the contract, its courts must 
verify that the term is plain and intelligible. This is a positive indication that the 
way legals are designed plays a crucial role in assessing their unfairness. 

Whilst many European and national cases regard unfairness of substance, there 
is a growing body of cases that deal with issues of form. They are mostly linked to 
the fact that if the language is not plain and accessible, the unfairness assessment 
can concern also the main object of the contract and the price.'4+ While a finding 
that a term lacks transparency may not in itself be sufficient to render the term 
unfair, any uncertainty about the meaning arising from the lack of transparency 
should be interpreted in a manner most favourable to the consumer. 45 

As observed in OFT v Foxtons,'*® to assess if a term in the ‘small print’ is fair, 
one needs to look at consumer expectations and manner of presentation. The 
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expectation of the average consumer is that the legals contain ‘things which are 
not of everyday concern to the consumer — it contains various clauses which are 
thought by the supplier to be necessary but which are not usually relied on.”!47 In 
theory, the average consumer is circumspect and therefore will read all the ‘legals,’ 
but ‘the practice is that even the circumspect (consumer) will be unlikely to do 
so with a great degree of attention.’'4* Therefore, provisions containing impor- 
tant obligations should not ‘be tucked away in the “small print” only, with no 
prior flagging, notice or discussion’;!*? otherwise, they become a ‘trap, or a time 
bomb.’'°° Accordingly, IoT providers should make sure that their ‘legals’ are easily 
accessible to consumers. An indicator of this is the readability coefficient, which is 
usually measured through the Flesch-Kincaid test. The higher the score, the higher 
the readability of the text. Some US states have introduced an obligation to draft 
contracts that meet prescribed Flesch-Kincaid scores; e.g. in South Carolina!>! loan 
contracts must have a Flesch-Kincaid score of 70-80, which corresponds to a US 
school level of seventh grade (13-year-olds). Echo’s core legals have a Flesch- 
Kincaid readability score of 43, which means that they are difficult to read and are 
accessible only to consumers who have a college education. This is in line with the 
readability level of most sign-in-wrap agreements, which are as readable as aca- 
demic journals.'** However, such prevalence does not make the practice any fairer. 

Most consumers do not read the ‘legals,’ !5 and the IoT, by exacerbating infor- 
mation and power asymmetries, ‘further encourage(s) consumers’ failure to read 
and understand contract terms prior to contracting.’'*4 The hypothetical avid 
reader of Echo’s legals will need 78 hours to read them. Improving the readability 
of the ‘legals’ is important not only to consumers but also to providers, given 
that, if the ‘legals’ are not ‘written in plain English, then they may not be legally 
binding — or at least the parts that are not transparent won’t be.’!* 

Transparency must be understood broadly as going beyond the mere compre- 
hensibility of the term. It is a requirement for obligations and rights to be set 
out fully, to put ‘the consumer into a position where (they) can understand (the 
terms’) practical significance.’'°° The leading case is Kds/er,!>’ where the CJEU 
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decided that ‘plain intelligible language’ cannot ‘be reduced merely to (the terms) 
being formally and grammatically intelligible.’!58 Rather, it must be understood 
in a broad sense, on the basis of an ‘average consumer, who is reasonably well 
informed and reasonably observant and circumspect’!*? and who should be able 
to ‘assess the potentially significant economic consequences for (them),’!® as 
confirmed in Van Hove'®! and Andriciuc.'° 

These principles have been reiterated in the recent EOS'® case, where the CJEU 
held that the fact that a consumer credit agreement does not mention the annual 
percentage rate of charge and contains only a mathematical formula for its calcu- 
lation without the information necessary to make that calculation is decisive evi- 
dence in assessing if the terms relating to the total cost of the credit are drafted in 
plain, intelligible language. The key is that a plain, intelligible contract should give 
the consumer ‘full knowledge of the terms of the future performance of the agree- 
ment entered into at the time of concluding such an agreement’'™ and of the extent 
of the consumer’s liability.'° Arguably, such a full knowledge is not provided by 
Echo’s legals, as exemplified by the Amazon Device Terms of User, under which 
Amazon ‘may amend any of this Agreement’s terms at our sole discretion,’!® or 
by Alexa Terms of Use, under which they ‘may change, suspend, or discontinue 
Alexa, or any part of it, at any time.’!°’ This is contrary to the principle of transpar- 
ency, and as such, it allows courts to assess the unfairness of substance of main 
subject matter of the contract and the adequacy of the remuneration. Similarly, 
the extent of Echo’s consumer’s liability is hard to grasp. Indeed, Amazon may 
terminate the agreement or restrict, suspend, or terminate your use of the services 
at any time, including if they ‘determine that your use ...is improper . . . or dif- 
fers from normal use by other users.’!® As a sanction, consumers ‘may be unable 
to access the Services and (they) may not receive any refund of fees or any other 
compensation.’'®° Even less intelligibly, then, ‘to the extent permitted by appli- 
cable law you agree to accept responsibility for all activities that occur under your 
account or password.’!”° These terms do not provide a clear picture of the con- 
sumer’s liability — when does one’s use differ from the normal use? — and, hence, 
cannot be considered transparent, plain, and intelligible. 
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In RWE Vertrieb,'" the court noted that it was not sufficient, for transparency to 
be achieved, to include a ‘mere reference, in the general terms and conditions, to a 
legislative or regulatory act determining the rights and obligations of the parties.’ !” 
It is fundamental, indeed, that ‘the consumer is informed . . . of the content of the 
provisions concerned.’!” This interpretation could have significant implications 
for contractual drafting in Europe.'!” In Echo’s scenario, many legals refer to 
generic legislative or regulatory acts. Amazon e.g. ‘reserve the right to accept or 
refuse your (Prime) membership, to the extent permitted by applicable law’'” and 
‘will inform you of any decision to restrict, suspend or terminate the Service Plan, 
to the extent that [they] are legally permitted to do so.’'”° Similarly, after intro- 
ducing a wide liability disclaimer, Amazon points out that ‘/t/he laws of some 
countries do not allow some or all of the limitations described above. If these 
laws apply to you, some or all of the above limitations may not apply to you and 
you might have additional rights.’ !™" Such wide exclusions ‘qualified merely by 
a statement that the trader’s liability is excluded only to the extent permitted by 
statute’ !”8 are both unfair and lacking transparency, as underlined by the UK Com- 
petition and Markets Authority. Whilst this type of phrasing is not uncommon,!” 
this does not make these terms any less unfair, also given that the IoT exacerbates 
the imbalance of bargaining power and the knowledge asymmetries that are at the 
core of the unfair terms’ regime. Indeed, the ‘legion of IoT data expected to be 
generated about consumers and their preferences will worsen preexisting infor- 
mation asymmetry in consumer contracts to the benefit of traders.’ !8° Therefore, 
IoT providers must comply with higher transparency standards. 

The transparency ensured by the use of plain and intelligible language, broadly 
understood, means that courts cannot consider the term in isolation. They have 
to assess it in its relationship to the connected terms in the rest of the contract as 
well as in the connected legals. In Bogdan Matei'®' e.g. the court pointed out that 
defendant should have set out clearly not only the reasons for a particular term (uni- 
lateral alteration of interest rate) but also its relationship to the other terms ‘relat- 
ing to the lender’s remuneration, so that the consumer can foresee, on the basis 
of clear, intelligible criteria, the economic consequences for him which derive 
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from it.’!8? The imperative to a comprehensive assessment gets to the point that 
the contract must be considered as whole, including the terms that have been 
meanwhile annulled, as ruled in OTP Bank.'®? Also, documents that may not 
strictly qualify as contracts must be considered, ‘including the promotional mate- 
rial and information provided . . . in the negotiation.’ !*4 This is important because 
under general contract law, these documents may not qualify as contracts. This 
provision has wider consequences because it means that in drafting the ‘legals,’ 
including those that may not strictly qualify as contracts, e.g. guidelines, Amazon 
and other IoT traders must make sure that consumers can understand both the 
terms and their interrelations so as to assess its ‘actual effects.’!®° It does not seem 
that such an assessment is possible in the IoT’s contractual quagmire. 

Under EU law, there is currently no express obligation for member states to 
assess the unfairness of terms included in noncontractual documents: these docu- 
ments will be considered in the assessment of contractual terms but not assessed 
in themselves to determine their own unfairness.'8® However, some member states 
have introduced stronger consumer protections by providing a judicial power to 
assess the unfairness of terms in those legals that do not qualify as contracts but as 
mere ‘notices.’ This is the case of the UK, which subjects consumer notices to con- 
trol for unfairness. They are defined as ‘notices, announcements, communications 
or purported communications that relate to rights or obligations between a trader 
and a consumer, or appear to exclude or restrict a trader’s liability to a consumer.’!®” 
This approach is fit for the IoT, where consumers find themselves in a forest of 
‘legals’ that take a number of forms, including noncontractual ones. The inclusion 
of consumer notices allows courts to assess the unfairness of privacy policies that 
in some jurisdictions may not qualify as contracts!*® and yet contain some of the 
most important provisions about rights, obligations, and liability in IoT transactions. 

Regardless of whether individual terms in the contractual quagmire are opaque, 
it should be questioned whether the practice of submerging consumers with count- 
less legals that are difficult to find, read, and understand falls in itself foul of the 
Unfair Terms Directive. One should answer in the positive for a twofold reason. 

First, the directive requires that ‘the consumer should actually be given an 
opportunity to examine all the terms.’!8? Whilst this statement is contained in a 
recital and is as such not binding, the CJEU in the recent Profi Credit Polska!” 
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case underlined the importance of the circumstance that the ‘consumer has actu- 
ally been given the opportunity to examine (the term’s) content.’!?! Moreover, 
official guidance provided by the European Commission set out the factors to 
consider when assessing if a term is plain and intelligible. Two factors stand out: 


(i) The consumer had the real opportunity of becoming acquainted with a con- 
tract term before the conclusion of the contract; ‘this includes the question 
of whether the consumer had access to and was given the opportunity to read 
the contract term(s).’!°? Only eight of the 246 Echo’s legals are grouped in 
an easily accessible ad hoc section. They total 963 pages and 440,547 words; 
therefore, atop the two weeks that it takes to locate them, one would need 
over three days to read them. One could hardly argue that consumers are 
given a real opportunity to read. 

(ii) Contract terms whose impact can only be understood when reading them 
jointly should not be presented in such a way that their joint impact is not 
manifest. The abundance of casting-net provisions in Echo’s legals means 
that the application of this factor will point towards a finding of lack of 
transparency. 


The second reason that the contractual quagmire as a whole may be regarded 
as instantiating unfairness of form is the link between the latter and the good 
faith requirement, which mandates openness. As ruled in Director General of 
Fair Trading, terms should be ‘expressed fully, clearly and legibly, containing 
no concealed pitfalls or traps. Appropriate prominence should be given to terms 
which might operate disadvantageously’!?* to the consumer. Such prominence is 
usually given by capitalising the disadvantageous terms or writing them in bold 
or separately.!°* Amazon does not follow this best practice, as exemplified by the 
Conditions of Use and Sale that bury the limitations to liability in the text without 
any differentiated formatting.'!?° Openness means that consumers should not be 
assumed to be able themselves to identify (particularly in longer contracts) terms 
which are important or which may operate to their disadvantage. In Spreadex v 
Cochrane,'** a factor rendering a term unfair was the fact that it was buried in 
long ‘legals’ (49 pages, four documents) that were ‘click-wrap’ and contained 
closely printed and complex paragraphs so that it ‘would have come close to 
a miracle if (the consumer) had read the (unfair term), let alone appreciated its 
purport or implications, and it would have been quite irrational for the claimant to 
assume that (they) had.’ 197 
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At a closer look, the distinction between unfairness ‘of substance’ and ‘of 
form’ is not clear-cut. This was confirmed in VKI v Amazon.'** Until mid-2012, 
Amazon.de’s general terms and conditions read, ‘Luxembourg law shall apply, 
excluding [the Convention on the International Sale of Goods].’ The question 
was whether such a term, under which the contract is to be governed by the law 
of the member state in which the trader is established, is unfair. Choice-of-law 
terms are not unfair as such. Under the Rome I Regulation on the law applicable 
to contractual obligations,!® the condition for the legality of these terms is that 
they do not deprive ‘the consumer of the protection afforded to (them) by provi- 
sions that cannot be derogated from by agreement by virtue of the law (of the 
country of the consumer’s habitual residence).’?” It is up to the national court to 
decide which statutory provisions cannot be derogated, but what matters is the 
guidance offered by the CJEU is assessing the unfairness of choice-of-law terms 
and, arguably, most otherwise-lawful nonnegotiated terms. Such terms may be 
unfair only insofar as they display ‘certain specific characteristics inherent in 
(their) wording or context which cause a significant imbalance in the rights 
and obligations of the parties.’”°' So in order to ascertain whether an imbalance 
occurs, the key is to look at wording and context. This link between substance 
and form is even more clearly spelled out in the subsequent passage, where the 
court states that unfairness may result ‘from a formulation that does not com- 
ply with the requirement of being drafted in plain and intelligible language.’*™ 
Applying Van Hove,’ the CJEU points out that this ‘formal’ requirement must 
be interpreted broadly, ‘having regard to the consumer’s weak position vis-a-vis 
(Amazon) with respect to (their) level of knowledge.’ VKI has broader conse- 
quences for IoT contracting and many online transactions. Indeed, the low level 
of knowledge inherent to IoT transactions — at once causing and caused by the 
contractual quagmire — means that IoT traders must adopt higher standards of 
contractual drafting. Otherwise, terms that would normally be lawful, such as 
choice-of-law terms, could be found to be unfair. In VKI, the term was not intel- 
ligible because it gave the consumer the impression that only the law of Luxem- 
bourg applied, without informing them that they also enjoy ‘the protection of the 
mandatory provisions of the law that would be applicable in the absence of that 
term,’? in that case Austrian law. 

After the ruling, the term has been changed and now reads, ‘Luxembourg law 
applies, excluding the UN Sales Convention (CISG) and the conflict of laws. . . . 
If you are a consumer with habitual residence in the EU, you also enjoy protection 
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of the mandatory provisions of the law of your state of residence.’” Therefore, 
the courts of the district of Luxembourg City, which have nonexclusive jurisdic- 
tion, will have to apply the statutory provisions of the consumer’s country of 
residence. If one compares this provision to the US terms, it becomes immedi- 
ately clear how stronger EU consumer laws are. Indeed, in the US any dispute is 
‘resolved by binding arbitration, rather than in court . . . and court review of an 
arbitration award is limited’ ;?” the arbitrator will exclusively apply ‘Federal Arbi- 
tration Act, applicable federal law, and the laws of the state of Washington.’ If 
a similar clause were to be found in a European contract, it would fall within the 
scope of one of the grey-listed terms in the Unfair Terms Directive, that is, ‘terms 
which have the object or effect of excluding or hindering the consumer’s right to 
take legal action or exercise any other legal remedy.’?°° In principle, therefore, 
they would be unfair and not binding, as clarified in Océano Grupo Editorial? 
Moreover, under Aqua Med,7'° terms that leave it to the trader to decide whether 
to bring an action before the court of the place of performance rather than con- 
sumer’s domicile may be considered unfair if the distance would make it too 
expensive for the consumer to participate in the trial. This would be in violation 
of the right to defence, as enshrined both in the European Convention of Human 
Rights and the Charter of Fundamental Rights of the EU.?!! 

The above analysis shows that many of Echo’s terms — and the contractual 
quagmire as a whole — can be regarded as unfair and opaque. The IoT contributes 
to overcoming the form-substance binary and to fully embrace transparency as a 
key component of fairness. In a way, it could be said that the IoT corroborates a 
key tenet of Marxist legal theory, that is, that the ‘bourgeois law’*!? rewrites the 
traditional form-content dichotomy.”!? EU law, especially compared to US law, 
provides stronger protections against unfair terms, but it relies on judicial actions 
brought by individuals who lack the time, resources, and knowledge to inchoate 
the file relevant to the lawsuits or on public enforcement that is partly ineffective 
due to a limited understanding of the technology and of private ordering. IoT 
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traders, in light of the complexity of the IoT and of the imbalances in terms of 
power and information, must comply with more stringer requirements of fairness, 
with a particularly urgent need to redraft the IoT legals to make them easy to find, 
read, and understand. From this point of view, EU regulators may learn something 
from the US counterparts and introduce obligations to draft ‘legals’ that reach at 
least a Flesch-Kincaid readability score that does not require a college education 
to understand them. 

The analysed regime aims to curb power imbalance by making imbalanced 
terms nonbinding on the consumer. Another way to curb such imbalance is to 
make sure that traders stand by their contractual commitments by giving consum- 
ers the right to bring the product in line with the contract. This is the domain of 
consumer sales law, which will be analysed in the following section to critically 
assess whether it can be used to empower consumers, in particular by tackling the 
issue of private ordering ‘by bricking.’ 


3.3 Private Ordering ‘by Bricking’: Can IoT Traders Deprive 
Consumers of their Things’ Smartness? 


One day Luke Kurtis, Quartz’s tech contributor, woke up and found that Apple 
locked him out of its walled garden. That day, he understood the consequences of 
going ‘smart’ without reading the ‘legals.’?'4 For an unfounded suspect of fraud, 
Apple had permanently disabled his account and the customer advisers told him that 
there was no way to review the decision, which they felt they were entitled to make 
under the terms and conditions. All the Things he purchased over the years became 
unusable, a music collection built over 15 years became unavailable, his boarding 
pass unretrievable during a family emergency trip. That was when he realised that, 
if he had read Apple’s ‘legals,’ he would have understood that whilst technically he 
was buying Things, factually he was just ‘renting for a while.’*!> He understood that 
the IoT’s hyperservitisation is sustained by new business models that allow traders 
to lock consumers into the services they offer exclusively for those Things.?!6 

This anecdote illustrates what happens when IoT traders take advantage of the 
contractual quagmire to deprive consumers of their Things’ ‘smartness.’ Usu- 
ally, the intangible components of a Thing, as opposed to its hardware, make the 
Thing ‘smart’ and thus determine the decision to purchase that particular Thing, as 
opposed to its nonsmart counterpart. However, IoT traders can deprive consum- 
ers of their Things’ smartness by remotely controlling them, downgrading them, 
and even deactivating them or ‘bricking’ them. This is what the previous chapter 
called private ordering by bricking. 
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It is crucial that the IoT trader does not discontinue or otherwise adversely 
affect the service, software, and data components of the Thing. Indeed, this would 
downgrade the Thing to a nonsmart device that would be radically different to 
what was promised in the contract or otherwise expected. EU consumer sales law 
aims to ensure that goods are as promised or expected. Therefore, next section 
will investigate if these laws can be invoked to tackle the issue of private ordering 
by bricking or if they are unfit for the IoT. In other words, can IoT traders deprive 
consumers of their Things’ ‘smartness’ or bricking instantiates an unlawful lack 
of conformity? 


3.3.1 EU Consumer Sales Law and the Lack of Conformity of the Thing to 
the ‘Legals’ 


Directive 1999/44/EC (First Consumer Sales Directive) was introduced to tackle 
the issue of faulty products by requiring traders of consumer goods to guarantee 
that the goods are in conformity with the contract for at least two years after their 
delivery.”!’ This is the main principle of EU consumer sales law. 

Conformity — one of the key concepts of modern contract law?!8 — is not defined. 
The directive refers to four scenarios where conformity is presumed (presump- 
tions of conformity or types of conformity).?!° 


(1) As described. The goods comply with the description given by the trader and 
possess the qualities of the sample or model. 

(ii) Particular purpose. The goods are fit for the purpose which the consumer 
made known to the trader when concluding the contract and that the trader 
accepted. 

(iii) Usual purpose. The goods are fit for the purpose for which goods of the same 
type are normally used. 

(iv) Reasonably expected quality and performance. The goods show the quality 
and performance which are normal in goods of the same type and which the 
consumer can reasonably expect. This expectation depends on the nature 
of the goods and the trader’s public statements, including advertising and 
labelling.??° 


In the event of lack of conformity, in addition to the general remedies in tort and 
contract,?*! consumers have a right to have the goods repaired, replaced, reduced 
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in price, or the contract terminated.” Repair and replacement must be free of 
charge;?”? as the CJEU stated in Quelle, the rationale for this is that if ‘a seller 
delivers goods which are not in conformity, it fails correctly to perform the obliga- 
tion which it accepted in the contract of sale and must therefore bear the conse- 
quences of that faulty performance. ”?”* The most important news in the directive 
is not the introduction of repair and replacement as remedies to the breach of 
contract, which had already been introduced by the Convention on the Interna- 
tional Sale of Goods.?*> Rather, it is the hierarchy between these remedies.””° This 
means that the consumer must in first instance ask for repair or replacement, and 
only if these are impossible or disproportionate will they have to opt between 
reduction of price and contract rescission.”*’ Finally, a commercial guarantee 
must be set out in plain, intelligible language and indicate what rights it gives on 
top of the legal guarantee.”8 

The right to repair is the most likely to be relevant in the context of a strategy 
against private ordering by bricking. Indeed, if an IoT trader recalls some smart 
functionalities, downgrades the Thing, bricks it, etc., they are making it noncon- 
forming to the contract or to consumers’ expectations. In this context, the right to 
repair can be interpreted as a right to have the smartness of the Thing restored. As 
smartness is mostly intangible, it can be, in principle, restored remotely, without the 
need to recall the Thing and replace it. This interpretation was codified in domestic 
laws, such as the UK’s CRA, where the good is considered as nonconforming if 
it includes digital content and said content does not conform to the contract,” 
hence the right to repair it, which means that a Thing’s digital components must 
match the description of the contract.” The main issue is that the right to repair the 
digital content, i.e. the right to restore the smartness, does not apply if consumers 
‘have expressly agreed a change to the description with the consumer.’**! In light 
of the power imbalance that such a provision would exacerbate, one could argue 
that it could be considered both an unfair term and an unfair commercial practice. 

These rights cannot be waived or restricted through agreements concluded 
before the lack of conformity is brought to the trader’s attention — such agree- 
ments will not be binding on the consumer.”*? The hierarchy of remedies — with 
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the prevalence of specific performance over compensatory remedies?’ — and the 
unenforceability of the agreements to the contrary constitute evidence that EU 
consumer sales law not only does not have the objective to protect consumers but 
also pursues ‘a specific idea of market,’*34 where the sale’s traditional exchange 
function gives way to a consumeristic imperative. 

The realisation of a certain idea of market is somehow hindered by the fact that 
the First Consumer Sales Directive is a measure of minimal harmonisation, and 
therefore, amongst other things, member states are not obliged to introduce a hier- 
archy of remedies.” Member states can introduce more business-friendly regimes 
and e.g. subject this directive’s rights to the consumer’s communication to the trader 
about the lack of conformity — this is the case of Italy, although this requirement 
does not apply if the trader acknowledged the existence of said lack or hid it.?*° 
Member states can also introduce more stringent rules,”*’ as did the UK by applying 
the general six-year limitation period for contract claims in England, Wales, and 
Northern Ireland (five years in Scotland),?** as opposed to the general EU limitation 
of liability to the lacks that become apparent within two years from the delivery.”°° 

From an IoT perspective, probably the most problematic aspect is to determine 
to what extent Things can be goods and, correspondingly, if the nonhardware 
components’ lack of conformity can trigger the rights of the consumers under 
the First Consumer Sales Directive. Additionally, there is the problem of whether 
most IoT contracts can be qualified as ‘sale’ and, even before that, as ‘contracts.’ 
Indeed, the directive sets forth the laws on contracts of sale of consumer goods;**° 
therefore, consumers could not invoke it to counter private ordering by bricking, 
if IoT contracts do not qualify as sale. 


3.3.1.1 Are Things ‘Goods’? 


Starting off with the concept of goods, this refers to ‘any tangible movable item,’™*! 
which would suggest that most Things, having physicality as a definitional feature, 
may qualify as goods.” However, the argument could be put forward that when the 
tangible component is minimal and the prevalent components are software, service, 
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and data, then Things are not necessarily ‘goods.’ For example, Echo Input’s core 
is the computer program that, once Input is plugged in a traditional speaker, trans- 
forms the latter in an Alexa-enabled speaker. The interpretation of good whereby 
products such as Input are not goods because their intangible components argu- 
ably prevail on their tangible ones is not convincing, for a twofold reason. First, 
this interpretation would be inconsistent with the First Consumer Sales Directive’s 
objective to ‘strengthen consumer confidence and enable consumers to make the 
most of the internal market.’* Such arbitrary exclusion would adversely affect 
consumer confidence as it would potentially leave out a large quantity of goods 
whose tangible element is ancillary, as their smartness is dictated by their intangible 
elements. Second, it would decrease legal certainty as one could hardly predict if 
a Thing fell within or beyond the scope of sale of goods law. Indeed, it is unclear 
who would decide when the tangible component of a Thing would be prevalent. 
Therefore, any Thing will qualify as good under the First Consumer Sales Directive, 
regardless of how prevalent the tangible component is. 

Despite the fact that since Things are tangible, this limitation is unlikely to be 
problematic in the IoT, it is important to underline that the applicability of this regime 
to only tangible, movable goods can lead to unreasonable discriminatory effects, as 
epitomised by St Albans City and District Council v International Computers Ltd?“ 
In the Sale of Goods Act 1979, now mostly replaced by the CRA, goods include all 
‘personal chattels other than things in action and money.’** In turn, ‘personal chat- 
tels’ refers to ‘tangible movable property.” The defendant in St Albans argued that 
this meant that since the consumer’s problem was caused by a defective computer 
program, the latter was distinct from the tangible disc, and therefore, it could not 
be said that they had not supplied ‘goods’ of satisfactory quality. The argument was 
rejected because hardware and software cannot be seen as distinct: 


By itself hardware can do nothing. The really important part of the system is 
the software. Programs are the instructions or commands that tell the hard- 
ware what to do. The program itself is an algorithm or formula. It is of neces- 
sity contained in a physical medium.”*” 


Perhaps paradoxically, St Albans ended up being used for the opposite purpose, 
namely, to deprive the consumers of their protection whenever digital products 
are supplied over a network, as opposed to a tangible format (e.g. a CD). This 
distinction effectively weakens the protection of consumers and makes little sense 
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from an economic perspective, as stated in UsedSoft.”** A distinction that is out- 
dated, since CDs and downloads are increasingly replaced by the mere access of 
the program on the cloud (software-as-a-service),””’ as the IoT is shifting towards 
the Cloud of Things.?™ These problems have been resolved by the CRA, which 
has effectively extended the remedies traditionally provided for consumer goods 
to contracts for the supply of digital content,”>! defined broadly as ‘data which 
are produced and supplied in digital form.’** The solution is only partial because 
whilst the tangible medium is not required if the consumers paid a monetary price 
for the digital content, ‘free’ content (including content ‘paid’ through personal 
data) will fall within the scope only under certain circumstances. In particular, if it 
was supplied with goods (‘tangible moveable items’), services, or other digital 
content for which the consumer paid a price,” and if the content would not be 
otherwise generally available to consumers.’ The reference to money may be 
seen as including cryptoassets,”*° but not personal data, thus excluding the content 
provided by traders adopting one of the most common business models of today. 
Positively, this Act shows awareness of the fact that content, goods, and services 
are increasingly bundled. Accordingly, the attempt from businesses to limit or 
disclaim liability by arguing that a Thing’s tangible and intangible components 
are separate shall be unsuccessful. It is to be hoped that the reference to ‘goods,’ 
defined as necessarily tangible, will not allow the survival of the St Albans juris- 
prudence with its focus on the physical medium: intangible goods (digital con- 
tent) are today on an equal standing with tangible goods. 


3.3.1.2 Does ‘Bricking’ Instantiate a Lack of Conformity? 


A more intricate question is whether the nonhardware components’ lack of con- 
formity can trigger the rights of the consumers under the First Consumer Sales 
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Directive. As seen above, there are four types of conformity (or presumptions of 
conformity): ‘as described,’ fit for a particular purpose, fit for the usual purpose, 
and ‘as reasonably expected.’ 

First, if the description of the Thing, the sample, or the model included its 
intangible components, consumers would have to be entitled to their rights to 
repair, replace, etc. if these components are not as described or sampled. For 
example, Alexa Terms of Use describe Amazon’s virtual assistant as ‘a continu- 
ously improving service that you control with your voice.’?°’ If an Echo’s Alexa 
stops improving or can no longer be controlled by the consumer’s voice, the latter 
will be able to invoke their rights under the First Consumer Sales Directive, in 
particular the right to repair as right to have the smartness restored. 

Second, the rights to repair, replace, etc. should be available if the particular 
purpose cannot be achieved due to a fault or issue in the Thing’s intangible com- 
ponents. For example, if the consumer tells the trader that they will use the phone 
for videoconferences but the phone turns out to be unable to do so, then it is not 
fit for the particular purpose. On the one hand, one could expect this type of lack 
of conformity to be less relevant in the context of the IoT, where nonnegotiated 
and unilaterally imposed legals prevail and hence the consumer may not have 
the opportunity to communicate with the trader about the particular purpose for 
which the Thing is purchased. On the other hand, IoT traders have a wealth of 
knowledge about potential customers, and therefore one could argue that they are 
aware of the particular purpose of the Thing, for example, if they track and profile 
customers for direct marketing purposes. Yet this type of conformity is not rel- 
evant if the trader does not accept the particular purpose, which makes it unlikely 
to be relevant in an IoT context. 

A third type of conformity is the fitness to the usual purpose. This book defined 
the Thing as capable of (inter)connectivity, sensing, and actuating. Therefore, if 
a Thing does not exhibit these capabilities, e.g. it does not connect to the internet, 
then it is unlikely to be fit for its usual purpose. In Echo’s case study, its usual 
purpose includes giving information about the weather, listening to music, and 
controlling other Things. If Echo is no longer available to do this, for example for 
interoperability issues, consumers have the right to have the smartness restored, 
regardless of whether the issue regards the hardware components of the Thing or 
not. In considering whether this presumption of conformity applies, one needs to 
recall that ‘repurposing’ is one the IoT’s crucial features.?58 As seen in Chapter 1, 
repurposing 1s the phenomenon whereby an IoT system is designed for a purpose 
but ends up being used for purposes other than those originally foreseen, in two 
scenarios: (i) the communication within the relevant subsystem and among sub- 
systems can lead the system to perform actions and produce information which the 
single Thing was incapable of or that could not be foreseen by its manufacturers, 
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and (ii) under certain conditions (e.g. an emergency) the system may reconfigure 
either in an automated fashion or a user-initiated one. Since repurposing is a com- 
mon feature of IoT systems, the relevant traders should be aware that a Thing’s 
‘usual purpose’ can vary over time. Therefore, IoT traders should make sure that 
the Thing is fit for the new purposes, thus stretching the concept of foreseeability. 

Fourth, courts will look at which qualities and performance consumers can rea- 
sonably expect. As the CJEU recently noted in Bosch,”*? consumers expect Things 
to have either a normal connection to a network or to allow for the interconnection 
between goods. This type of conformity is likely to be the most relevant to counter 
private ordering by bricking. Indeed, IoT traders may leverage their data power 
to impose legals that allow them to deprive consumers of their Things’ ‘smart- 
ness.” However, since smartness is an IoT consumer’s reasonable expectation — 
and since consumers cannot reasonably be expected to read the legals — it can 
be concluded that private ordering by bricking instantiates a lack of conformity 
of this type. To assess what can be reasonably expected, courts will also look at 
the nature of the goods and the public statements.” As to the nature of Things, 
smartness is at their core. As to the public statements, we have seen that in Echo’s 
legals there is the commitment that Alexa will learn over time. Continuous learn- 
ing is a reasonable expectation of Echo’s consumers. As an example of statements 
that are not found in the legals but only in advertising — that is relevant because it 
qualifies as public statement — Amazon advertises Echo Show primarily as a clock 
(Figure 3.2), so the fact that an update made it virtually impossible to use it as a 
clock, as lamented in some customers’ reviews,°! means that Echo Show lacked 
conformity to Amazon’s public statements. 

All four conformity presumptions — as described, particular purpose, usual 
purpose, as reasonably expected — apply to the IoT. Therefore, consumers can 
counter ‘bricking’ and related practices by exercising their rights to have the 
Thing repaired or replaced, the price reduced, or the contract rescinded. What is 
changing is how these rights work in practice: the nature of the IoT means that 
most Things can be repaired remotely, and their intangible components replaced 
remotely. Traders can avoid repairing and replacing if these are impossible or 
disproportionate. Fixing the intangible components of a Thing remotely — e.g. 
through an over-the-air update — seems by definition always possible. Dispro- 
portionate, in turn, means unreasonably expensive, which does not seem to be 
the case for the repair and replacement of Things due to intangible issues. For 
example, Amazon patched remotely a Wi-Fi vulnerability in Echo and Kindle 
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Alexa can show you things 


Figure 3.2 The first of the images used by Amazon to advertise Echo Show 5.7 


that enabled man-in-the-middle attacks.* Consequently, most of the times IoT 
consumers will be able to demand specific performance, being difficult for the 
traders to prove that repairing and replacing are disproportionate or impossible. 
In a way, it could be said that the IoT reinforces the EU lawmaker’s preference 
for an idea of market where repair and replacement prevail because they keep 
the contract alive and they foster the new consumeristic function of the sale of 
consumer goods, which is the cornerstone of a perfectly competitive internal 
market.?4 


3.3.1.3 Are IoT Contracts ‘Sales’? 


The qualification of Things as goods and the issue of intangible conformity are 
not the only reasons that the application of the First Consumer Sales Directive to 
the IoT, and to the private ordering by bricking, is problematic. The directive has 
arelatively narrow scope regarding ‘certain aspects of the sale of consumer goods 
and associated guarantees.’*° If there is no contract of sale, including contracts 
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for the supply of consumer goods to be manufactured or produced,” the directive 
and the relevant rights and remedies will not apply. 

Since there is no harmonised definition of sale, one should refer to the national 
rules on contract of sale that will apply to the sale of consumer goods inasmuch 
as compatible with the First Consumer Sales Directive.?°’ As a generally accepted 
definition of sale, one can refer to the most ambitious attempt to build a common 
set of private laws in the EU,”°* namely, the Draft Common Frame of Reference,” 
whereby a contract for the ‘sale’ of goods is a contract under which one party, the 
seller, undertakes to another party, the buyer, to transfer the ownership of the goods 
to the buyer, or to a third person, either immediately on conclusion of the contract 
or at some future time, and the buyer undertakes to pay the price.?”” 

The key element is the transfer of ownership. The Amazon Device Terms of 
Use do not clarify if the ownership is transferred to the consumer, but it expressly 
excludes the application of the Convention on the International Sale of Goods.?”! 
This term could be construed as meaning that consumer sales laws that are not 
expressly excluded, such as the First Consumer Sales Directive and its national 
implementations, should apply. The Device Terms, moreover, refer to the Con- 
ditions of Use and links to its page that is titled ‘Conditions of Use & Sale.’*” 
The Conditions of Sale constitute the second part of the latter, and they ‘govern 
the sale of products by Amazon EU SARL to you’?” — of all products, including 
Echo. Under these conditions, Amazon ‘conclude the contract of sale for a product 
ordered by you, when we dispatch the product to you.’*”* Whereas this is an argu- 
ment in favour of the qualification of some of Echo’s legals as a sale, one needs 
also to consider that Amazon does not transfer ownership of Echo’s intangible 
components; indeed, it grants only ‘a limited, non-exclusive, non-transferable, non- 
sublicensable licence to access and make personal and non-commercial use of the 
Amazon Services.’?”> Moreover, such services are defined broadly as encompass- 
ing devices, products, services, mobile apps, and software provided by Amazon 
in connection with any of the foregoing.” Since all ‘rights not expressly granted 
to you in these Conditions of Use or any Service Terms are reserved and retained 
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by Amazon,” some may argue that consumers are only renting Echo, namely, 
using it under the terms of a license but not owning it. This line of thought may be 
supported by the fact that Amazon purports to disclaim liability if Echo’s digital 
contents become unavailable?” — which may be seen as proof that the consumer 
did not own them in the first place, and that some of legals and services can be 
changed without warning and at Amazon’s sole discretion.*” 

Whilst there are arguments both in favour and against the qualification of an 
IoT sale as proper sale for all purposes, in light of the broad wording of the First 
Consumer Sales Directive and its objectives, it can be concluded that as long as 
the contract is either expressly qualified as a sale or transfers the ownership of the 
Thing as a whole, then it will be a ‘sale’ at least for the purposes of the aforemen- 
tioned directive, whose rights and remedies will be available in most business-to- 
consumer IoT transactions. 

A separate, albeit closely interwoven, issue is which contract one needs to look 
at in assessing the lack of a Thing’s conformity. Whilst the existence of a contract 
of sale or of a guarantee is necessary for a dispute to fall under the First Con- 
sumer Sales Directive,”®° in the IoT’s contractual quagmire, the legals must be 
considered jointly, in their interrelationships. The directive seems flexible enough 
to accommodate this because the parameter of the conformity, or lack thereof, 
is not necessarily to be found in the contract of sale: it can depend also on ‘any 
public statements on the specific characteristics of the goods made about them 
by seller.’?®! Whilst this passage primarily refers to advertising and labelling, the 
mountain of legals that consumers have to accept when using a Thing can be 
deemed to fall at least within the concept of public statement. Consequently, con- 
sumers can invoke the rights to have the Thing’s smartness restored not only when 
it lacks conformity with the contract of sale but also with the other connected 
legals that create a reasonable expectation that the Thing has certain qualities or 
performance. For example, even though Echo’s Conditions of Sale do not contain 
a commitment that Alexa will learn continuously, if Alexa stops improving, this 
may be regarded as a lack of conformity because Amazon committed to it in 
Alexa Terms of Use. 

To conclude, the First Consumer Sales Directive is, in principle, flexible enough 
for the IoT, and it can be invoked to counter private ordering by bricking through 
a right to repair construed as a right to have the Thing’s smartness restored. The 
main limitation of this regime is that traders are liable ‘for any lack of conformity 
which exists at the time the goods were delivered.’*®* Arguably, if a trader bricks 
the Thing after the delivery, that lack of conformity did not exist when the Thing 
was delivered. This issue is partly offset by the fact that, if the lack (e.g. the brick- 
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ing) manifests itself within six months, the consumer will not have to prove that it 
existed at the time of delivery.” However, traders can rebut this presumption.?*+ 
Moreover, after the six months, the burden of proof will be on the consumer.?* 
As to said burden, the CJEU in Faber?* clarified that the consumer has to prove 
the lack of conformity, not ‘the cause of that lack of conformity or to establish 
that its origin is attributable to the (trader).’?®’ IoT consumers may find it diffi- 
cult to prove that the deprivation of the smartness existed at the time of delivery. 
A solution could be to construe ‘delivery’ broadly. Indeed, since in the IoT the 
good’s key components are intangible, and given that the intangible components 
are delivered throughout the Thing’s life cycle, any deprivation of smartness will, 
by definition, take place at the time of delivery. Directive 2019/771 (‘Second 
Consumer Sales Directive), which will replace the First Consumer Sales Direc- 
tive, expressly embraces this solution.?*° Indeed, it provides that, in the case of 
goods with digital elements, where the sales contract provides for a continuous 
supply of the digital content or digital service over a period of time, the seller shall 
also be liable for any lack of conformity of the digital content or digital service 
that occurs or becomes apparent within the period during which the content or 
service is to be supplied.”* The next section will deal with this new directive that, 
alongside the new Digital Content Directive, has been welcomed as the ‘main 
development in European contract law and consumer contract law’? of the last 
twenty years. 


3.3.2 The EU Reform of the Laws on Consumer Sales and Supply of 
Digital Content and Digital Services 


Unlike a minority of member states such as the UK,?°! Germany,’ and the 
Netherlands,” EU consumer laws still rely on the tangible-intangible dichotomy, 
despite the increasing awareness of its untenability. Under EU law, there is no 
obligation to recognise the right to repair, replace, etc. faulty intangible products, 
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but this will change soon as a result of the adoption of Directive 2019/771 (‘Sec- 
ond Consumer Sales Directive’)?* and Directive 2019/770 (‘Digital Content 
Directive’), collectively ‘the EU reform.’ Member states will have to implement 
these directives (collectively ‘the EU reform’) by 1 July 2021, and the implement- 
ing measures will apply from 1 January 2022.5 Whilst some authors?” argue 
that the First Consumer Sales Directive applies to digital content and that the 
characteristics of the medium are not relevant, with the reform, for the first time 
expressly,” the conformity requirements will apply also to digital content and 
digital services. This reform aims to modernise the existing rules on the lack of 
conformity of goods to the contract and complement them with a similar regime 
regarding digital content and digital services.*°8 This is fundamental because at 
‘the heart of the digital revolution is the way digital content is utilised,’”°’ and the 
IoT calls for the convergence of rules on intangible goods and tangible ones. 
Derived from the failed Common European Sales Law project>® and part of 
the Digital Single Market strategy,*"! these directives follow the principle of max- 
imum harmonisation,’ which sets them apart from the First Consumer Sales 
Directive, which aimed at minimum harmonisation.*°? This notwithstanding, 
some provisions leave room for national tailoring; for example, member states 
can decide whether or not to extend the subjective scope of application, e.g. by 
including natural or legal persons that are not consumers, such as nongovern- 
mental organisations, start-ups, and small and medium enterprises.°* Such an 
extension would be positive in light of the rise of prosumers and to address power 
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imbalances in business-to-business relationships.*° From this book’s perspective, 
it is crucial to ascertain whether the reformed law relies on the tangible-intangible 
dichotomy and, relatedly, if the separate regulation of sale of tangible goods and 
provision of digital content/services is fit for the IoT. 

The goal of this reform is ‘to contribute to the proper functioning of the inter- 
nal market while providing for a high level of consumer protection.’> This 
makes explicit what scholars*°’ inferred from the First Consumer Sales Directive, 
namely, that consumers are protected as a means to the actual end to achieve a 
perfectly competitive single market.5°* The pursuit of a certain idea of market 
through consumer laws was epitomised by the First Consumer Sales Directive’s 
hierarchy of remedies, whereby the remedies that preserve the validity of the con- 
tract prevail on remedies that make the contract void. For example, the consumer 
cannot choose to ask the termination of the contract: they have to first opt for 
the performance remedies (repair and replacement). As mentioned above, such 
approach reinforced the new consumeristic function of consumer sales.*” Before 
the reform, member states were free to decide whether or not to introduce the 
hierarchy of remedies. With the reform, the original plan comes full circle as 
the principle of maximum harmonisation will force member states to introduce 
the remedial hierarchy.*'° This is one of the main reasons that the new law has 
been criticised and the EU has been called to withdraw it.?!! 

Without the ambition of a comprehensive coverage of this reform, the follow- 
ing analysis will focus on the following aspects: 


(i) Express inclusion of ‘goods with digital elements’; 
Gii) Definition of sale and inclusion of nonmonetary exchanges, namely, per- 
sonal data, as consideration; 
(iii) Changes in the presumptions of conformity that become requirements for 
conformity. 
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3.3.2.1 The Grey Area between Goods with Digital Elements and 
Mere Carriers 


The second innovation — the most important one, from an IoT perspective — is that 
while goods are still defined as necessarily tangible,*!? there is an express inclu- 
sion of ‘goods with digital elements.’ These 


incorporate or are inter-connected with digital content or a digital service in 
such a way that the absence of that digital content or digital service would 
prevent the goods from performing their functions.?” 


From this book’s standpoint, this is positive news because it seems clear that most 
Things can be regarded as goods with digital elements inasmuch as they have a 
tangible component and are entangled with software, service, and data that are 
necessary for the Thing to be ‘smart’ or altogether to work. This is not to say that 
the sale of Things would not fall under the First Consumer Sales Directive. As 
agued above, the previous regime could already be interpreted as meaning that the 
sale of goods applied to Things and ‘goods with digital elements’ more generally, 
as long as a tangible element was present. The new wording better reflects current 
IoT applications, where the good (Thing) is rarely just a medium; it is integrated 
with intangible components that are often vital to its functioning. It remains to 
be seen what will happen to goods that include digital elements but can perform 
their tasks without the latter. It will be assessed below whether the Digital Content 
Directive covers those Things that can perform their functions without a particular 
digital content or service, as it’s not clear when ‘the absence of (the) digital con- 
tent or digital service would prevent the goods from performing their functions.’?"4 

The Digital Content Directive leaves goods with digital elements expressly out 
of its scope if the content or service is provided ‘with the goods under a sales 
contract concerning those goods.”3!> At a first look, one could think that if there 
is a tangible good (including one with digital elements), the Second Consumer 
Sales Directive will apply, whilst if there is no tangible good, the Digital Content 
Directive will apply. However, the matter is more complicated than this for a 
twofold reason. 

First, the latter directive also applies to ‘digital content which is supplied on 
a tangible medium, such as DVDs, CDs, USB sticks and memory cards, as well 
as to the tangible medium itself, provided that the tangible medium serves exclu- 
sively as a carrier of the digital content.’!° Since legal certainty is one of the 
objectives of the reform,*”” provisions such as this hinder its achievement. Indeed, 
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Figure 3.3 The ‘smart’ grey area left out of the scope of the new law of consumer sales. 


there is a vast grey area between a good whose digital components are vital to its 
functioning — falling within the scope of the Second Consumer Sales Directive — 
and goods that are exclusively a carrier of the digital content, to which the Digital 
Content Directive will apply (Figure 3.3). 

It is not clear what happens to all the Things that are embedded with digital 
components and yet can function without them but do now qualify as mere carri- 
ers of the digital content. Arguably, for example, Echo can function without Alexa 
(as a speaker), and it is not a mere carrier of Amazon’s virtual assistant. Neither 
such Things qualify as goods with digital elements, or as mere carriers; therefore, 
there is no certainty as to which, if any, protections consumers will be able to rely 
on. Conversely, in some scenarios, both regimes may apply. For example, Echo 
Input — Thing that can ‘bring’ Alexa to any nonsmart speaker — cannot function 
without Alexa; hence, it is a good with digital elements, but it can also be seen 
as its mere carrier. This is not only a risk to consumers. Indeed, it may lead to 
conflicting compliance burdens to the detriment of loT companies themselves. 

A second reason that there is a grey area is that the Digital Content Directive 
excludes goods with digital elements only if the content or service is provided 
‘with the goods under a sales contract concerning those goods.’*!® Let us imagine 
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a smart function added to a good via an update released after the sales contract 
(e.g. an Alexa ‘skill’). Does the exclusion of these particular goods with digital 
elements mean that the other goods with digital elements — when the content 
or service is not provided with the goods under a sales contract (e.g. after the 
contract) — fall under the Digital Content Directive that the latter will apply to 
the digital elements and the Consumer Sales Directive to the tangible component, 
or will they be left without protection? Different judges may consider Things as 
goods with digital elements, mere carriers, neither, or both, thus decreasing legal 
certainty and hampering the Digital Single Market. It will be up to national law- 
makers, hopefully in a coordinated fashion, to ensure that the transposing mea- 
sures will prevent this from happening. 
A solution may build on the Digital Content Directive’s provision, whereby 


in the event of doubt as to whether the supply of incorporated or inter- 
connected digital content or an incorporated or inter-connected digital ser- 
vice forms part of the sales contract, the digital content or digital service 
shall be presumed to be covered by the sales contract.3!° 


Whilst this provision may not apply to many scenarios falling within the aforemen- 
tioned grey area (e.g. Things that can function without certain digital components), it 
can be seen as an expression of a more general preference for, and hence prevalence 
of, the sale of goods regime over the Digital Content Directive, in case of doubt. To 
further corroborate this view, the latter directive further provides that in the event of 
a contractual bundle — contracts bundling e.g. sale of goods, supply of digital content, 
and provision of nondigital services — the Digital Content Directive will ‘only apply 
to the elements of the contract concerning the digital content or digital service.’>7° 
In this sense, this directive could be seen as playing an ancillary function, compared 
to the sale of goods regime that should apply to all scenarios falling within the grey 
area and when in doubt. While this may be regarded as a good, pragmatic provision, 
it may also be seen as a reflection of the hierarchy of values in a pre-IoT world, where 
tangible goods were considered more important than intangible ones. 


3.3.2.2 The Definition of Sale and the Inclusion of Nonmonetary Prices 


Another news in the reform is that the ‘sales contract’ is now defined as meaning 
‘any contract under which the seller transfers or undertakes to transfer owner- 
ship of goods to a consumer, and the consumer pays or undertakes to pay the 
price thereof.’*?! The limitation to distance contracts, originally provided in the 
Commission’s proposal,*”* has been removed following criticism by businesses, 
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consumers, and commentators.**? A harmonised definition of sale increases legal 
certainty, especially in cross-border transactions. However, this definition is not 
IoT-friendly, for two reasons. First, as we will see in Chapter 6, the IoT ushers 
in the death of ownership — and if the consumer does not acquire the ownership 
of the Thing, the contract will not qualify as sale and the relevant remedies will 
not apply. Second, the reference to the price may be interpreted as excluding 
nonmonetary value transfers (e.g. personal data transfers), that under the previ- 
ous regime might have been regarded as included in the directive, since there 
was no reference to the necessity of a price.**4 A large number of IoT-related 
transactions, where the Thing is exchanged for the consumer’s data, would be 
left without protections. Arguably, the directive refers to ‘price’ because of the 
remedy of price reduction. However, it is my opinion that the ‘price’ should not 
be necessarily monetary, and in the event of a sales contract where personal data 
is used to purchase a good, the price reduction may be construed as meaning a 
reduction in the quantity of personal data transferred to the trader. An argument 
in favour of this position is that, to achieve the Digital Single Market in an IoT 
world, where the distinction between tangible and intangible is blurred, the same 
tules should apply to goods, digital content, and digital services, where possible. 

The express inclusion of nonmonetary prices is the most visible difference 
between the Second Consumer Sales Directive and the Digital Content Directive. 
The latter does not require a monetary price to be paid; indeed, it also covers sce- 
narios where ‘the consumer provides or undertakes to provide personal data to 
the trader.’**> Data as contractual consideration or counterperformance has been 
regarded?”6 as one of the most important challenges faced by private law in this 
era of digitalisation. This is also a key difference between the Digital Content 
Directive and the UK CRA,” which defines the price in monetary terms. Apply- 
ing both directives to consumer contracts regardless of a monetary price not only 
would be conducive to the proper functioning of the internal market but would 
also take account of one of the most popular business models in the digital econ- 
omy, where personal data instantiates the contractual consideration. However, the 
Digital Content Directive is no model of legislative perfection. The provision of 
personal data as consideration in consumer contracts has been criticised mainly 
for three reasons.*”° First, it has been seen as contrary to the GDPR. While it is 


for a Directive on certain aspects concerning contracts for the online and other distance sales of 
goods (COM/2015/635 final), ‘[t]his Directive lays down certain requirements concerning dis- 
tance sales contracts concluded between the seller and the consumer.’ 

323 Giliker (n 290). 

324 The prevalent interpretation, however, would require monetary prices, since one of the remedies 
is the price reduction. cf Mak (n 232). 

325 Digital Content Directive, art 3(1), italics added. 

326 Sebastian Lohsse, Reiner Schulze and Dirk Staudenmayer (eds), Data as Counter-Performance — 
Contract Law 2.0? Münster Colloquia on EU Law and the Digital Economy V (Hart — Nomos 2020). 

327 S 33, as noted by Giliker (n 290). 

328 Laura Drechsler, ‘Data As Counter-Performance: A New Way Forward or a Step Back for the 
Fundamental Right of Data Protection?’ <cris.vub.be/files/36462976/IRIS2017_DRAFT_ 


160 The Internet of Contracts 


possible to argue both ways, nothing in the GDPR prevents a data subject to treat 
their data as a commodity. On the contrary, innovations such as the right to data 
portability signal that personal data is useful to access many services, and the data 
subjects can dispose of them at their discretion.*° Some issues may nevertheless 
arise, e.g. if the exercise of the right to erasure can lead to a breach of contract 
when personal data is the consideration. The second criticism is the concern that 
the nature of data protection as a fundamental right may be affected. It is pos- 
sible to respond to this that the fundamental nature of a right is not affected by 
its transferability; for example, property is a fundamental right, and yet one can 
transfer it.*3° To exclude personal data from the concept of price would result in 
the nonapplication of the laws on consumer sales, which in turn would lead to a 
diminished protection of the consumer-data subject. A third criticism is that the 
lawmaker should not legitimise a business model that runs counter to data protec- 
tion. The criticism misses the point, as proved by the fact that the UK government 
decided to define the price in monetary terms and excluded personal data as con- 
sideration as a result of lobbying by businesses that argued ‘that inclusion might 
inhibit business development.’*! I believe that the Digital Content Directive has 
positively taken a pragmatic approach that, taking account of a shift in contrac- 
tual practices towards personal data as the default consideration, has broadened 
the scope of EU consumer law to strengthen the protection of consumers and 
advancing the harmonisation of the relevant rules to achieve the goal of the Digi- 
tal Single Market.*** In September 2020, Singapore announced a partnership with 
Apple whereby citizens would be paid to use Apple Watch.*?? Companies are 
increasingly willing to compensate data producers not only with services but also 
with money. Denying that data is a new currency seems futile: the point is how 
to prevent data abuses and strengthen data control in a market that relies on data 
monetisation. 

From this book’s perspective, the main issue with the Digital Content Direc- 
tive’s provision, including the contracts having personal data as consideration, is 
the reference to the ‘provision’ of personal data by the consumer. As confirmed by 
the GDPR, oftentimes personal data is not provided by the data subject; instead, 


Drechsler_V3.pdf>; Alberto De Franceschi, La Circolazione Dei Dati Personali Tra Privacy e Con- 
tratto, vol 156 (Edizioni scientifiche italiane 2017); European Data Protection Supervisor, ‘Opinion 
4/2017 on the Proposal for a Directive on Certain Aspects Concerning Contracts for the Supply of 
Digital Content’ (2017). 

329 GDPR, art 20. 

330 Whilst it is generally accepted that property is a fundamental right, this characterisation is con- 
troversial. See e.g. Gregory S Alexander, ‘Property as a Fundamental Constitutional Right? The 
German Example’ (2002) 88 Cornell Law Review 733. 

331 Giliker (n 290) 121. 

332 cf Madalena Barreto Torres de Mendonca Narciso, “Gratuitous” Digital Content Contracts in EU 
Consumer Law’ (2017) 6 Journal of European Consumer and Market Law 198. 

333 Sareena Dayaram, ‘Apple and Singapore to Reward Apple Watch Users for Keeping Healthy’ 
(CNET, 16 September 2020) <www.cnet.com/news/singapore-to-reward-citizens-for-healthy- 
activity-apple-watch/>. 


The Internet of Contracts 161 


it can be collected from third parties (e.g. Facebook sharing user preferences with 
the advertisers)*** or otherwise generated (e.g. inferred through observation of 
online behaviour).** This is particularly important in an IoT world, where surveil- 
lance capitalism manifests itself through ubiquitous and surreptitious monitoring, 
tracking, and profiling of users of smart technologies.**° Accordingly, the GDPR 
deals separately with the information to be provided, where personal data are col- 
lected from the data subject,*>” and the one to be provided where personal data 
have not been obtained from the data subject.338 Hopefully, the national measures 
implementing the EU reform will clarify that the latter covers all the contracts 
where the trader transfers or undertakes to transfer a good’s ownership or digital 
content/service is provided in exchange for personal data, regardless of whether 
the consumer provided it. Thus, they would implement the European Parliament’s 
recommendation??? to expand the directive’s scope to include digital content sup- 
plied against data that consumers provide passively. 

The Digital Content Directive excludes those contracts where personal data is 
processed by the trader exclusively for the purpose of: 


(i) Allowing the trader to comply with legal requirements to which the trader is 
subject,*“? or 

(ii) Supplying the digital content or digital service in accordance with the 
directive.*! 


The directive illustrates the first scenario by referring to the example of man- 
dated processing for security and identification purposes.**? However, it does not 
clarify whether the ‘legal requirements to which the trader is subject’ refers only 
to laws obliging the trader to process certain data or whether it is sufficient that 
the law justifies the processing without making it mandatory. The distinction is 
subtle but crucial. As an example of obligatory processing, one can think of the 
strong authentication measures imposed by the PSD2. As an example of laws 
merely justifying personal data processing, one can refer to the so-called upload 
filter*? under the DSM Copyright Directive. Whilst the draft directive contained 
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an obligation for online platforms to ex ante filter user-generated content,’ the 
final version incentivises the implementation of such filters; it does not mandate 
them, even though one can expect that providers will indeed implement them to 
minimise exposure. Indeed, Article 17 now provides that online content-sharing 
service providers are liable for unauthorised acts of communication to the public 
unless they show that they ‘made, in accordance with high industry standards of 
professional diligence, best efforts to ensure the unavailability’>* of the unau- 
thorised content and have ‘made best efforts to prevent their future uploads.’*** 
Arguably, an interpretation of ‘legal requirement’ as ‘legal obligation’ or duty is 
to be preferred because it is closer to the literal meaning of the provision and more 
conducive to its protective rationale. Therefore, laws like the upload filter, autho- 
rizing yet not mandating personal data processing, cannot be invoked to bring the 
matter outside of the scope of the Digital Content Directive. 

Even more controversial is the exclusion of those contracts where personal data 
is ‘exclusively processed by the trader for the purpose of supplying the digital 
content or digital service in accordance with this Directive.’*4” The legals of most 
social media accounts would instantiate a nonexcluded contract as they typically 
involve data processing that goes beyond what is necessary for providing digital 
content or services, e.g. when ‘personal data, such as photographs or posts that the 
consumer uploads, (are) processed by the trader for marketing purposes.’348 Con- 
versely, it is not easy to identify contracts that are excluded under this provision. 
There are mainly two problematic aspects in this exclusion. First, the notion of a 
processing that has exclusively a purpose shows unawareness of the IoT’s repur- 
posing capabilities, whereby Things and systems designed for a purpose often end 
up serving another purpose either automatically or for reasons that are not under 
the control of the original manufacturer or designer. These issues are exacerbated 
when the Thing or IoT systems are machine learning—powered and, accordingly, 
learn over time to perform new tasks and process for new purposes. In the IoT, 
the idea of an ‘exclusive’ purpose is untenable. Second, the processing of per- 
sonal data obtained from third parties in the absence of a contract falls outside the 
scope of the directive.’ For example, if I use Echo Show to watch video content 
provided by third parties that, in exchange, obtain my personal data, I will not be 
able to invoke the Digital Content Directive as I do not have a contract with these 
third parties. In implementing this directive, therefore, member states should take 
advantage of the option ‘to extend the application of this Directive to such situ- 
ations [where there is no contract], or to otherwise regulate such situations. ’>°° 
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3.3.2.3 From the Presumptions of Conformity to the Requirements for 
Conformity 


The final innovation brought about by this EU reform regards the presumptions of 
conformity that have become requirements for conformity. Whilst at a first glance 
there would seem to be no substantial changes in these requirements,**' compared 
to the First Consumer Sales Directive, there are indeed five noteworthy additions: 
(1) reorganisation of the conformity requirements into subjective and objective; 
(ii) new interoperability requirement; (iii) new duty to update; (iv) ad hoc require- 
ments for goods with digital elements; (v) duty not to let third-party rights limit 
the use of the product. 

First, the requirements have been reorganised into ‘subjective’’>’ and ‘objective. 
Subjective means that the good, content, or service must match the contract.>*4 
Objective requirements for conformity add to the subjective ones and concern 
what consumers can reasonably expect.*> In principle, the objective requirements 
are more likely to be relevant in the IoT because they oblige traders to ensure that 
products are and remain as reasonably expected by consumers, regardless of the 
legals. Indeed, exploiting the power imbalance that characterises IoT transactions, 
these traders could have the consumers accept contractual terms that allow the 
trader to depart from the conformity requirements (e.g. by removing the smart 
features of a Thing). Regardless of such terms, consumers are entitled to have the 
product brought into conformity if there is a breach of the objective requirements. 

This notwithstanding, in principle two of the subjective requirements are of rele- 
vance for IoT consumers: goods, digital content, and digital services must be interop- 
erable and updated. In light of the importance of IoT interoperability to prevent the 
Internet of Silos, commendably the EU reform mandates that goods, digital content, 
and digital services must possess functionality, compatibility, and interoperability, as 
required by the contract.*°° The relevance of this provision — and of all the ‘objective’ 
requirements — is limited in a context of power imbalance and information asym- 
metry that the IoT exacerbates. Indeed, contracts are used to realise a private order- 
ing of online transactions that penalises consumers. For example, Amazon informs 
consumers that “devices that are Compatible Devices at one time may cease to be 
Compatible Devices in the future.’35” Since the contract does not require Amazon to 
ensure the contents and services are compatible with the goods, the lack of compat- 
ibility cannot be ground for an action for breach of this subjective requirement. 

Similar issues relate to the subjective requirement to supply updates ‘as stipu- 
lated by the contract.’*>* The obsolescence of a product can be dangerous because 
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it can make the product unsafe and vulnerable to attacks. Therefore, in principle 
it is positive that the nonprovision of updates qualifies as a lack of conformity. 
However, the reference to the contract means that IoT traders can impose imbal- 
anced terms whereby they do not have an obligation to keep the Thing updated. 
For example, Amazon’s Conditions of Use»? provide that ‘[i]n order to keep the 
Amazon Software up-to-date, [Amazon] may offer automatic or manual updates 
at any time and without notice to you.’ This is not an actionable obligation; it is 
left to the trader’s discretion. Arguably, therefore, they could put in place that 
form of private ordering that goes by the name of planned obsolescence. 

However, in addition to the conformity requirements that apply to all goods, 
digital content, and digital service, the EU reform also introduces an ad hoc 
requirement to update that applies to ‘goods with digital elements,’ hence to 
most Things. What is crucial is that this requirement is an objective one; there- 
fore, IoT legals cannot be used to sidestep it. Traders of goods with digital 
elements must ensure that the consumer ‘is informed of and supplied with 
updates, including security updates, that are necessary to keep those goods in 
conformity.’>°° This obligation can last for the period of time that the consumer 
can reasonably expect or, should the contract provide a continuous supply of 
the content or service, for as long as the supply is contractually provided. In 
striking a balance between consumer protection and the traders’ interest to 
conduct a business, the EU reform also introduces a defence for traders; they 
will not be liable should the consumer fail to install, within a reasonable time, 
the updates.**! This provision nudges consumers to look after their Things and 
counters the paternalism that many see as characterising consumer protection 
laws.*°? At a closer look, the provision confirms the current trend to move on 
from protecting consumers through law — consumer law in Europe was linked 
to the rise of the welfare state in the Sixties and Seventies*® — to a world where 
‘[c]onsumers are supposed to play an active role in European markets.’3% From 
this standpoint, the expectation that consumers do not need top-down regula- 
tions and are active players in the market is an ideological one; in particular, it 
can be regarded as the expression of the neoliberal concepts of minimal state 
and free market.*® 
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Fifth, building on a similar provision in the proposed Common European Sales 
Law,°*® conformity will cover also legal defects, namely, any ‘restriction resulting 
from a violation of any right of a third party, in particular intellectual property 
rights.’°6” This phenomenon is epitomised by the infamous deletion of Orwell’s 
1984 and Animal Farm e-books from users’ Kindles, since a third party had placed 
the e-books on Kindle without the permission of the author’s estate.*® Things are 
increasingly ‘legal black boxes’ because their every aspect and layer is covered 
by some form of intellectual property, technological protection measure, or con- 
tractual right. This means that each ‘layer of owner must rely on the owners above 
them’?”? through a complex system of licensing and sublicensing that has been 
criticised as ‘the new subinfeudation.’>7! This is a contributing factor of the death 
of ownership, as will be seen in Chapter 6. Positively, when the EU reform will 
become effective, such third-party restrictions will qualify as a lack of conformity 
if they prevent or limit the use of the goods, digital content, or digital service; 
consumers, therefore, will be able to invoke the usual remedies of replacement, 
repair, etc.7”* However, member states may opt for the nullity or rescission of the 
contract instead of the remedies of the lack of conformity.’ Commentators of 
the draft Digital Content Directive lamented the lack of ‘clarification that End 
User Licence Agreements do not affect the consumer’s legal position.’*”4 Com- 
mendably, the final text expressly recognises that restrictions can arise also from 
such agreements that may prevent ‘the consumer from making use of certain fea- 
tures related to the functionality of the digital content or digital service.’>” It is 
to be hoped that national implementation measures will provide that contractual 
restrictions such as the aforementioned can qualify as lack of conformity also in 
domestic consumer sales law. 


3.3.2.4 Private Ordering by Bricking Breaches the New Law of 
Consumer Sales 


To conclude, the EU reform’s objective to extend the remedies for lack of confor- 
mity to digital content and digital services is a positive one that — in constituting 
a stepping stone towards the realisation of a fully harmonised European contract 
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law>7° — is likely to benefit the IoT and the digital economy more generally. 
Regrettably, the reform keeps relying on the tangible-intangible divide that the 
IoT is rendering outdated. If there is a sales contract regarding a good, including 
‘goods with digital elements,’ the Second Sales of Goods Directive will apply; in 
turn, the Digital Content Directive covers the contracts for the supply of digital 
contents or services, including their tangible medium, as long as the latter is the 
mere carrier of the former. The qualification of Things as goods or services, there- 
fore, will have profound practical consequences. Although similar in their content, 
the directives provide partly different rules for goods, contents, and services. For 
example, whereas the Second Consumer Sales Directive provides that the trader 
‘shall be liable . . . for any lack of conformity . . . which becomes apparent within 
two years’>”’ of the delivery, no obligation to introduce such limit exists under the 
Digital Content Directive. Therefore, if national laws do provide a time limit, this 
cannot be under two years;>”* if they do not, national prescription rules will apply. 
As the latter rules are not subject to harmonisation, there will be ‘variation in the 
period of applicability of the conformity requirement that is far from ideal in a 
maximum harmonization directive,’?”? and an unfortunate divergence between the 
regime of ‘tangibles’ and the regime of ‘intangibles.’ Although there is a vast grey 
area where it is not clear which regime, if any, will apply, this chapter suggests 
that, when in doubt, consumer sales law should control. 

Many of the aforementioned legal innovations are likely to benefit IoT consum- 
ers. First, the express inclusion of goods with digital elements that must match 
the contract and the reasonable expectations of the consumers. These goods are 
defined as goods that incorporate digital content or service, with the latter being 
necessary for the good to function — this definition should cover most Things, 
since their ‘smartness’ is likely to be considered as their vital component. How- 
ever, national lawmakers will have to make sure that Things that do not fall under 
this regime will be covered by the Digital Content Directive, which also includes 
the tangible medium of digital content or service, as long as it is the mere carrier 
of the intangible components. Second, since many IoT contracts have personal 
data, as opposed to a monetary price, as their consideration, it is commendable 
that the Digital Content Directive expressly covers the contracts where the con- 
sumer receives the content or service and provides personal data. Some short- 
comings — such as the reference to the provision of data by the consumer, whilst 
in the IoT data, are inferred or obtained from other sources — can be fixed at 
the implementation stage. Finally, the revision of the conformity requirements 
is IoT-aware, in that interoperability, the provision of updates, and the absence 


376 This extension to contracts beyond sales has been seen as giving ‘rise to the chance to use the 
future acquis communautaire of the “digital internal market” to come closer to a more coherent 
general contract law, as Ole Lando and the earlier pioneers of European contract law strived to 
achieve, though on a different basis, before the digital revolution’ (Schulze (n 217) 143). 

377 Second Consumer Sales Directive, art 10. 

378 Digital Content Directive, art 11(2). 

379 Giliker (n 290) 111. 


The Internet of Contracts 167 


of restrictions stemming from third-party intellectual property rights have now 
become requirements under both the Second Consumer Sales Directive and the 
Digital Content Directive. Thus, the EU reform may provide incentives for a more 
open, secure, and trustworthy IoT. 

Overall, it seems that, especially after the EU reform, consumer sales law, as 
complemented by digital content law, can provide an answer to private regulation 
‘by bricking.’ IoT traders’ attempts to remotely monitor consumers and automati- 
cally downgrade the Thing, discontinue the service, remove functionalities, deter- 
mine the lifespan of the Thing, and ‘brick’ it may qualify as a lack of conformity, 
and therefore, consumers will be able to upgrade their Things and keep them smart 
by demanding that they match the contract and/or their reasonable expectations. 

Despite the reform, consumer sales laws are of little use to track another major 
consumer threat, which is connected to the shift from e-commerce to IoT com- 
merce. Consumer information becomes difficult when consumers make transac- 
tions while immersed in hyperconnected, interface-free environments. The next 
sections will assess whether other EU consumer laws may be invoked to protect 
consumers in the IoT commerce. 


3.4 Precontractual Duties to Inform Under the CRD in a 
Hyperconnected, Interface-Free World 


One of the main ways in which EU laws protect consumers is by introducing 
duties to communicate with consumers and inform them about rights, risks, and 
obligations stemming from a business-to-consumer transaction. This is epitomised 
by Directive 2011/83 (‘CRD),*®° as amended in 2020 by the Omnibus Directive, 
in the context of the ‘New Deal for Consumers’ package.**! The CRD mandates 
the communication of certain information before the conclusion of a contract — 
precontractual information duties, also known as mandated disclosures and con- 
sumer notices.**? Information is an enabler of consumer choice as it should put the 
consumer in the best position to make an informed transactional decision. 
Whereas the IoT can benefit consumers by making the relevant communication 
more pertinent, engaging, and timely, it can also constitute a challenge to these 
information duties. On the one hand, the ubiquitous presence of Things means 
that traders have more opportunities to communicate with consumers. Amazon 
can inform me via its website’s policy, the Alexa app’s notification, and Echo’s 
audio notices. By leveraging the granular information IoT traders hold about their 
customers, they can tailor their mandated disclosures and transmit the quantity 


380 Directive 2011/83/EU of 25 October 2011 on consumer rights, amending Council Directive 
93/13/EEC and Directive 1999/44/EC and repealing Council Directive 85/577/EEC and Direc- 
tive 97/7/EC [2011] OJ L 304/64. 
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and quality of information that is more suitable for the consumer at hand, thus 
avoiding both insufficient disclosures and information overload.** For instance, 
Amazon knows that I am more active and attentive at a certain time (e.g. between 
12:00 and 1:00 p.m.), that I respond better to communications in a certain format 
(e.g. video), and that being a relatively tech-savvy legal scholar, I need only a 
limited amount of information about my rights and obligations. Therefore, they 
can use IoT-powered big data to personalise their disclosures accordingly, as the 
trend of ‘personalised law’ suggests.**4 

On the other hand, the IoT renders compliance with information duties harder 
because it is ubiquitous, invisible, and often interface-free.** Things are increas- 
ingly used for e-commerce purposes, as exemplified by the purchases consumers 
can make through Amazon Echo and Google Home. This means that consumer 
contracts are concluded not only without any paper information but also without 
an accessible digital visual copy of the information. This is because, in the IoT, 
interfaces become smaller, change form, and even disappear.**° With the advent of 
e-commerce, computer replaced physical shops. With the move to IoT commerce, 
there is a further shift because computers decrease in size and increase in num- 
bers, to the point that consumers transact while immersed in a hyperconnected, 
always-, on interface-free environment. In this immersive, IoT-saturated environ- 
ment, everything is connected and can potentially be used to conclude transac- 
tions, with little if any consumer awareness of whether a transaction is initiated, 
let alone the awareness of the associated rights, risks, and obligations. There- 
fore, this section will explore whether EU consumer laws’ notice-and-consent 
approach is fit for a hyperconnected, interface-free world, where purchases are 
initiated by voice, buttons, and eye blinks. I will first briefly analyse the relevant 
legal framework and then present a German ruling about Amazon’s Dash Button 
as a case study. 

The CRD is arguably the most wide-ranging instrument of EU contract law, in 
that it applies to any contract concluded between a trader and a consumer after 
13 June 2014.387 This is unlike those directives that exclude some contracts based 
on the way they are concluded (online, offline, off-premises, etc.), namely, the 
Distance Selling Directive*** and the Doorstep Selling Directive,** which were 
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Communications Review 3. 

387 CRD, art 28. 

388 Directive 97/7/EC of 20 May 1997 on the protection of consumers in respect of distance contracts 
[1997] OJ L 144/19. 

389 Council Directive 85/577/EEC of 20 December 1985 to protect the consumer in respect of con- 
tracts negotiated away from business premises [1985] OJ L 372/31. 
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repealed by the 2011 Directive. There are some contracts that are exempt,*” e.g. 
transfer of immovable property, but such exemptions must be interpreted nar- 
rowly, as settled since Heininger.*°! This directive is loT-friendly because it does 
not exclude some products based on their tangibility or lack thereof. Unlike the 
Product Liability Directive, the CRD applies expressly not only to goods but also 
to services” and implicitly to data and software. Indeed, it deals with digital 
content that is defined broadly as ‘data which are produced and supplied in digital 
format.’>°? This may well include software, as corroborated by the fact that there 
is no right of withdrawal in respect of distance and off-premises contracts regard- 
ing ‘sealed computer software which were unsealed after delivery. 3% A contrario, 
other types of contracts and other types of software should be included in the 
scope of the directive. Therefore, as far as the scope is concerned, this directive 
appears to be IoT-ready. 

The IoT-readiness will further increase once member states implement the 
Omnibus Directive; four changes point in this direction. First, this reform 
streamlined the definition of ‘goods’ under the CRD and the Second Consumer 
Sales Directive, namely, as meaning any tangible items, including goods with 
digital elements,” hence most Things. Second, the definition of sales contract 
has been amended, and it now reads, ‘Any contract under which the trader trans- 
fers or undertakes to transfer ownership of goods to the consumer, including 
any contract having as its object both goods and services.’*°° The removal of the 
reference to the payment of price will make it easier to include those IoT trans- 
actions where products are purchased by means of one’s personal data.*°” How- 
ever, the amended CRD does not apply if personal data is provided exclusively 
to supply the digital content not on a tangible medium or the digital service in 
accordance with the directive itself or to comply with legal requirements.*°* The 
same critical remarks expressed above with regards to the analogous exclusions 
under the Second Consumer Sales Directive apply here. Third, the reformed 
CRD expressly includes digital services, which means (i) a service that allows 
the consumer to create, process, store or access data in digital form?®” or (ii) a 


390 Certain contracts are excluded because they are regulated by sectoral laws e.g. financial services 
and gambling. See CRD, art 3(3). 
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service that allows the sharing of, or any other interaction with, data in digital 
form uploaded or created by the consumer or other users of that service.*° Forth, 
member states now are obliged to implement effective remedies and fines of up 
to 4% of the annual turnover or EUR 2 million if the relevant information is not 
available.*°! This should provide stronger incentives for IoT traders to properly 
inform consumers. 

The CRD aims to contribute to the proper functioning of the internal market 
by approximating certain aspects of the main EU consumer laws (maximum 
harmonisation)** while achieving a high level of consumer protection.*° Infor- 
mation requirements — more stringent in distance and off-premises contracts, 
less so in the others*> — are the cornerstone of this instrument. When Things 
are used to conclude contracts, consumers are, in principle, entering into a dis- 
tance contract, namely, a contract concluded ‘under an organised distance sales 
or service-provision scheme without the simultaneous physical presence of the 
trader and the consumer, with the exclusive use of one or more means of distance 
communication.’*°° Therefore, the rules on distance contracts will be considered. 


3.4.1 IoT Commerce and Information in Distance Contracts 


The CRD provides the legal framework for precontractual information duties. 
Precontractual means that the information must be provided before the consumer 
is bound by the contract or any corresponding offer.*°’ The usual transparency 
requirements are reiterated; the information must be provided in a clear and com- 
prehensible manner.’ In its notice-and-consent model, the required information 
is an ‘integral part of the . . . contract and shall not be altered unless the contract- 
ing parties expressly agree otherwise.” Should a dispute arise about compliance 
with these requirements, the burden of proof would be on the trader.*!° Limiting 
this section’s analysis to the elements that are more likely to be relevant in the IoT, 
traders have to disclose the following information. 


(i) The trader’s identity and contact details.*!! This is important to success- 
fully bring an action. Identifying the trader is less important when filing a 
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complaint under product liability; indeed, as will be shown in the next chap- 
ter, the latter regime allows consumers to sue the supplier when the trader is 
not identified. 

(ii) The good’s or service’s main characteristics.*!? For the aforementioned rea- 
sons, these have to be understood as including data and software. 

(iii) The conditions that apply, including payment terms, delivery time, and 
performance,*! as well as duration of the contract*!+ and termination condi- 
tions.*!> These will typically be buried in long and obscure ‘legals,’ as seen 
in section 3.2.4. 

(iv) The functionality of digital content, including applicable technical protec- 
tion measures.*!° In an IoT context, this may prove difficult because of the 
Thing’s complexity, which is an obstacle to explaining the underlying func- 
tionalities in layperson’s terms. 

(v) The interoperability of digital content with hardware and software. This will 
mean that the trader will have to underline if the Thing or system is open or 
‘proprietary’ and hence closed. This is a strict requirement: it applies even 
when the trader is not aware of it but ‘can reasonably be expected to have 
been aware.’4!7 As noted above, interoperability is a subjective requirement 
for conformity under the Second Consumer Sales Directive. ‘Subjective’ 
means that IoT traders can use the contract to limit or even exclude interop- 
erability. However, regardless of such a contract, the CRD obliges IoT trad- 
ers to inform consumers about the Thing’s interoperability or lack thereof. 


In addition to the aforementioned elements, the trader will have to include in 
the disclosure twelve items, e.g. information about after-sale customer assistance, 
after-sale services, and commercial guarantees.*!® It is safe to say, therefore, that 
the notice to provide to consumers, especially IoT ones, is likely to be extremely 
long and complicated. Consequently, the way that the communication of this 
information is designed becomes crucial. 

Under the CRD, the trader, before concluding a distance contract, has to ‘give 
the (required) information . . . or make that information available to the consumer 
in a way appropriate to the means of distance communication used in plain and 
intelligible language.’*!° ‘Giving’ the information refers to the more traditional 
forms of consumer notice, such as the paper leaflet contained in a product’s pack- 
aging. There is also a legibility requirement for the information that is provided 
on a durable medium.*”° The references to ‘legibility’ is unfortunate because it 
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reflects a text-based paradigm that is not fit for the IoT and, more generally, for 
more modern consumer disclosures. This should be replaced by a comprehensibil- 
ity requirement that can be derived from the principle of transparency, as noted by 
the advocate general in Cofidis.*?! However, ‘legibility’ is not required when the 
information is not given to the consumer, but it is made available to them, typi- 
cally online (‘appropriate to the means of distance communication’). In principle, 
the legals accessed on the Thing’s website could comply with requirement as 
long as they are in plain and intelligible language. We have seen above that these 
‘legals’ are hard to find, read, and understand. 

In light of the currently poor contractual drafting practices, the importance 
of information and transparency for data protection, and the amount and qual- 
ity of information that must be communicated to consumers, especially in 
an IoT context, it becomes imperative to rethink consumer information. One 
promising way to do so is to adopt a legal design methodology. Legal design is 
a nascent field of study focused on redesigning legal practices (e.g. contracts, 
policies, notices, etc.) in a way that is user-centric and multidisciplinary.**? The 
key is to start by understanding who is the user, their expectations, their needs, 
their preferences. This may lead to the overcoming of traditional notices and 
to embrace more visual‘? and engaging means of consumer communications, 
such as videos, dashboards, story-based disclosures, smart disclosures, selec- 
tive just-in-time alerts, and visual diagrams.” An Echo Show e.g. may inform 
consumers about the functionalities of its own digital content by showing a 
video rather than simply making available the Conditions of Use on Amazon’s 
website. Given the rise of voice-user interfaces in the IoT,**° one could wit- 
ness a rise of the audio-notice-and-consent model. As consumers interact with 
Echo, Google Home, etc. using their voice, consumer notices should reflect 
this and be provided through audio messages. A lesson could be learned by 
the GDPR and its requirement that it must be as easy to withdraw consent as it 
is to give it. The European Data Protection Board interpreted it as meaning 
that when ‘consent is obtained through use of a service-specific user interface 


421 Joint Cases C-616/18 and C-679/18 Codifis v YU (Advocate General Kokott, 14 November 2019) 
[54]. 

422 The pioneer of legal design is Margaret Hagan, Director of Stanford’s Legal Design Lab. She has 
been followed by a number of outstanding women, in particular Rossana Ducato, Helena Haapio, 
Arianna Rossi, and Stefania Passera. See e.g. Margaret Hagan, ‘Law By Design’ (Law By Design, 
2017) <www.lawbydesign.co/>. 

423 Nonetheless, visualisation ‘is almost always used in hybrid ways — combinations of words and 
images to enhance the effectiveness of communication’ (Gerlinde Berger-Walliser, Thomas D 
Barton and Helena Haapio, ‘From Visualization to Legal Design: A Collaborative and Creative 
Process’ (2017) 54 American Business Law Journal 347). 

424 cfRossana Ducato, ‘House of Terms: Fixing the Information Paradigm with Legal Design’ (2018) 
Conference: BILETA 2018. 

425 See e.g. patent US9811312B2 for a ‘Connected device voice command support.’ More generally, 
Pradeep Doss and others, ‘Unified Voice Assistant and IoT Interface’ (2018) 19061 International 
Journal of Engineering Science. 

426 GDPR, art 7(3). 


The Internet of Contracts 173 


HI, I'M YOUR 
AMAZON ECHO, I'M 
BROUGHT TO YOU BY 
AMAZON EU SARL! 


IN ME, YOU FINO ALEXA’, A 
VIRTUAL ASSISTANT THAT 

USES MACHINE LEARNING: 
THIS MEANS THAT THE MORE 
YOU TALK TO ME, THE MORE I 
CAN UNDERSTAND You! 


IF YOU WANT TO USTEN TO MUSIC 
WITHOUT LIMITS, YOU NEED TO 
SUBSCRIBE TO AMAZON MUSIC 
UNUMITED. THIS WILL COST YOU 


0.99€ FOR THE FIRST 4 MONTHS, 
AND 9.99€ EVERY MONTH FROM 
THAT MOMENT ON 


THIS DEVICE CAN 
CONTROL, BE 
CONTROUED, OR 
OTHERWISE INTERA! 
ONLY WITH OTHER 


PARTY PRODUCTS 


Figure 3.4 An illustration of the principle of interface continuity: a legal design approach 
to compliance with consumer information requirements using Amazon Echo 
Plus’s voice-user interface. 


(e.g. via... the interface of an IoT device . . .), there is no doubt a data sub- 
ject must be able to withdraw consent via the same electronic interface.’’ A 
similar meaning should be given to the CRD’s requirement that, with respect to 
distance contracts, the trader has to inform the consumer ‘in a way appropriate 
to the means of distance communication.’*?* I posit that these provisions signal 
the emergence of a more general principle: the principle of interface continuity. 
If I use the voice to give consent and interact with my Thing, it is reasonable to 
expect that the same interface will be used to transmit further information, as 
mandated by consumer and privacy laws. For an example of such an approach 
to consumer notices, see Figure 3.4, which follows. 

Generally, consumer information has to be in plain and intelligible language; 
legibility is optional.“ However, additional requirements apply in certain sce- 
narios, as illustrated in the table that follows. 
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Table 3.1 Additional Formal Requirements for Distance Contracts Under the CRD 


Scenario Formal Requirements Items of Information 

Contracts with an Clear, prominent, directly Main characteristics of 
obligation to pay before the consumer places the product, total price, 
(art 8(2)) the order duration*° 

Orders placed via Easily legible label with Obligation to pay 
buttons (art 8(2)) the words ‘order with 

obligation to pay’ or similar 

Trading websites Clear, legible, at the beginning Delivery restrictions and 

(art 8(3)) of the ordering process accepted means of 
payment 

Means of distance On that particular means and Main characteristics of 
communication prior to the conclusion the product, trader’s 
which allows identity, total price, 
limited space or withdrawal, duration*?! 


time to display the 
information (art 8(4)) 


Certain information should be given or made available directly before the order, 
in a clear and prominent manner, if there is an obligation to pay. The main items 
to cover are the total price and, where the nature of the product is such that the 
price cannot reasonably be calculated in advance, the manner in which the price 
is to be calculated.*?? Prominence has been traditionally interpreted as meaning 
that the relevant contractual clause should be in capital letters, but the concept is 
broader than that.**3 

The meaning of ‘prominence’ has been further detailed for those instances where 
consumers place orders by activating a button or a similar function. This applies 
not only to buttons such as Amazon’s Dash Button (both in its software and hard- 
ware versions) but also to all the Things used for e-commerce purposes. In these 
cases, ‘the button or similar function shall be labelled in an easily legible manner 
only with the words “order with obligation to pay” or a corresponding unambiguous 
formulation.’*** As noted by the European Commission,**° words and phrases such as 
‘register,’ ‘confirm,’ ‘order now,’ and unnecessarily long phrases are unlikely to meet 
the requirement. Whilst this is a positive legal innovation, the reference to a legibility 
requirement is likely to exclude voice-user interfaces, video consumer notices, and 
other unwritten means of communication**® that would be more suitable for the IoT. 
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As shown in the table above, prominence is not a requirement for the information 
that trading websites have to provide at the beginning of the ordering process; this 
information must only be clear and legible. Trading websites are interactive websites 
that allow ‘consumers to transfer an offer to the professional.” These websites 
have to inform consumers about delivery restrictions and accepted means of pay- 
ment.*38 Legible means that the relevant information must be provided in the form 
of a written text, which, again, may be interpreted as ruling out more engaging 
forms of consumer communication, such as audio notices and videos. And indeed 
this directive has been read**? as preventing the conclusion of consumer contracts 
via smart assistants in that it is based on the premise that distance contracts are 
concluded by means that ensure the legibility of the information. This is an example 
of a provision that is not IoT-ready. In an age where interfaces are changing and at 
times disappearing, to adopt a text-based paradigm risks disenfranchising consum- 
ers that engage with their Things with their voice, movement, etc. but are expected 
to rely on traditional, written text to be informed. The other issue of this provision 
is that this legibility requirement is imposed on ‘trading websites,’ which might be 
interpreted as excluding the more complex platforms of the loT commerce. Accord- 
ingly, de lege ferenda it has been suggested that the provision be amended to make 
it more technologically neutral and to remove the legibility requirement.“ Mean- 
while, as I argued above, it is possible to interpret the law as imposing interface 
continuity, that is, the requirement to use the same interface for normal Thing-user 
interaction and for the notices mandated by the law. Therefore, the Echo products 
that do not have a display and work with a voice-user interface should inform the 
consumers using Alexa’s voice in plain and intelligible language. 

Conversely, the EU lawmaker showed some awareness of the fact that many 
Things have small interfaces (mainly displays). In particular, when a contract is 
concluded through a means of distance communication which allows for limited 
space or time to display the information (i.e. most Things), the trader has to show 
only some of the required information ‘on or through’ that means before the trans- 
action is completed. In particular, the information to display on or through the 
Thing regards the main characteristics of the product, the identity of the trader, 
the price, the right of withdrawal, the duration of the contract, and if the con- 
tract is of indeterminate duration, the conditions for terminating it.“ The rest 
of the precontractual information could be made available via hyperlink.” This 
provision was thought primarily for contracts concluded using technologies such 
as SMS which impose technical limits on the amount of information that can 
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be sent.*4 Nonetheless, the provision appears to be IoT-ready, and it can apply 
to all the Things that have small interfaces. It is not clear what happens if the 
means of distance communication does not allow any space to display the infor- 
mation. The European Commission considers the requirements in Article 8(2)-(4) 
as ‘additional.’* Therefore, it seems reasonable to argue that for Things without 
displays, the general regime will apply, and therefore, the information will have to 
be provided or made available in plain and intelligible language. 


3.4.2 Amazon Dash Button as a Fitness Check of Precontractual 
Information Duties 


To have a better idea of whether the CRD and its precontractual information 
duties are fit for the IoT, this section will use Amazon’s Dash Button as a case 
study. Indeed, this Thing was at the centre of the most relevant dispute in the 
field of precontractual information and the IoT, which was settled in 2018 by 
Landgericht München (Regional Court of Munich) and upheld on appeal by the 
Oberlandesgericht (Higher Regional Court).447 

For some time, a fridge that would order milk was the go-to example of con- 
sumer IoT.448 When Amazon launched the Dash Button, it seemed that, by allow- 
ing potentially any product to order automatically new supplies, the IoT revolution 
was eventually coming to its realisation and would change forever the world of 
retail.“ The consumer would set up the button through a mobile app, simply 
place the button on the washing machine (or similar product), and click it every 
time the, say, laundry detergent was running low. The button is a device that can 
connect to a user’s WLAN and send signals to the wireless router via the WLAN 
connection. The sending of a signal is triggered by pressing an electromechani- 
cal button — this no longer applies to the ‘virtual’ Dash Buttons that are entirely 
intangible and have been replacing their hardware predecessors since February 
2019.450 Made available to consumers for free,**! Dash Buttons were one of Ama- 
zon’s fast-growing products in 2017.45? By making the purchase carefree, the but- 
ton was seen as ‘the epitome of instant, impulsive buying,’ which may benefit 
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Figure 3.5 Front and back of a Dash Button at the time of the dispute at hand. Source: 
OLG München, 10 January 2019-29 U 1091/18 [2019] GRUR-RR 372. 


consumers in terms of time spent shopping, but at the same time, it may adversely 
affect them in terms of information and freedom of choice. Indeed, Dash Button 
was criticised**? for introducing a form of ‘brand loyalty by default’ as it reduced 
switching behaviour. Whilst information overload has often been criticised as a 
consequence of paternalistic consumer regulation,*+> the opposite of information 
overload — that one may call ‘information dearth’ — risks being a real problem for 
consumers who are parties to IoT transactions. 

At the time of the dispute, the Dash Button was labelled on the front with the 
logo of the manufacturer of the product to reorder, and on the back with the so- 
called CE safety mark and other technical details, as per Figure 3.5. 

No other information could be found on the button or was otherwise provided 
through it. This made the Consumer Association of North Rhine-Westphalia (here- 
inafter NRW or the claimant) seek a prohibitory injunction**® to prevent Amazon 
from selling Things that, by design and by default, did not provide the required 
precontractual information. In particular, the button was not labelled with the 
words ‘order with obligation to pay’ and did not inform the consumer, before the 
purchase, about the essential characteristics of the product and its total price. For 
the purposes of this section, it is not necessary to deal with the other ground of 
the injunction’s request, namely, the alleged invalidity of the contractual clause 
whereby Amazon would reserve the right to change the price or deliver a different 
product.*°7 

As is often the case with cyberdisputes — and this holds true also for the IoT — 
the preliminary point was jurisdiction. The Regional Court of Munich resolved the 
question by relying on the Brussels I Regulation on jurisdiction and the recognition 
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and enforcement of judgements in civil and commercial matters,*°* as well as on 
the principle of flying jurisdiction. The general principle is that persons domiciled 
in a member state shall be sued in the courts of that member state.*® However, an 
entity domiciled in a member state (e.g. Amazon in Luxembourg) may be sued in 
another member state (e.g. Germany) in matters relating to tort, delict, or quasidelict 
if that is ‘the place where the harmful event occurred or may occur.’4©° The Regional 
Court of Munich held that this provision applied because the preventive action by a 
consumer protection association to prohibit the use of allegedly abusive clauses by 
a trader regarded an unlawful act.*°! This is consistent with the Henkel*® jurispru- 
dence, whereby a preventive action brought by a consumer protection organisation 
for the purpose of preventing a trader from using unfair terms is a matter relating to 
tort, delict, or quasidelict. Like in Henkel, the effectiveness of class actions to stop 
the use of abusive clauses in consumer contracts would be significantly impaired if 
they could only be brought in the state of the trader’s establishment. The Regional 
Court of Munich’s conclusion is corroborated by the Rome II Regulation on the law 
applicable to noncontractual obligations.*® In particular, by the provision whereby 
‘[t]he law applicable to a non-contractual obligation arising out of an act of unfair 
competition shall be the law of the country where competitive relations or the col- 
lective interests of consumers are, or are likely to be, affected.’4+ From this intricate 
framework, as interpreted by Germany’s Supreme Court,*® follows the principle of 
“flying jurisdiction,’ whereby all German courts and thus also the Regional Court of 
Munich have jurisdiction in these types of disputes.*° 

After having asserted the jurisdiction, the court focused on the fact that the but- 
ton was not labelled with the words ‘order with obligation to pay.’ As noted above, 
the CRD appears IoT-ready where it explicitly regulates button-enabled purchases 
by mandating forms of labelling that make explicit the obligation to pay that will 
accompany the transaction. The defendant disputed that purchases via the Dash 
Button can be regarded as ‘placing an order that entails activating a button or a 
similar function.’*©” Amazon claimed that the provision would apply only to virtual 
buttons; otherwise, one should start labelling also a computer’s mouse. The argu- 
ment was not upheld. Indeed, although the provision was designed having website 
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buttons in mind,** it was formulated in a technologically neutral way to ensure its 
longevity.*® The provision applies to any mechanism that triggers a purchasing 
order.*”° Once again, the IoT confirms the untenability of the tangible-intangible 
dichotomy and calls for unified rules. Accordingly, the provision on labelling but- 
tons applies both to virtual buttons (like the new generation of Dash Buttons) and 
tangible ones, like the one at issue. It follows that the button must carry an ‘order 
with obligation to pay’ label or a corresponding unambiguous formulation. The 
remedy for noncompliance with this requirement is that the consumer will not be 
bound by the contract resulting from pushing the unlabelled button.*7! The fact 
that the Dash Button’s label contained only the logo of the manufacturer and some 
technical details (CE marking) did not meet the legal requirement. In passing, the 
court also noted that Dash Button’s design would be in breach of the precontrac- 
tual information duties even in the event that it was not considered a ‘button’ for 
the purposes of the CRD. This is because the button-labelling duties are to be seen 
as a specification of the general rule that the consumer must explicitly confirm 
before the order that they undertake to effect a payment.*” 

The Regional Court of Munich then moved on to consider whether there was 
a breach of the precontractual information duties, as the Dash Button did not 
timely inform the consumer about the essential characteristics of the product to 
be reordered and its overall price. This was held to be in breach of the trader’s 
duty to inform the consumer about the main characteristics of the goods or ser- 
vices and the price in a clear and prominent manner and before the consumer 
places the order.*” Indeed, the key information in a transaction not only has to 
be communicated clearly (in an ‘unambiguous and comprehensible manner,’ in 
the wording of the German Civil Code), but this information must also be pro- 
vided directly before the consumer submits the order. Therefore, to provide the 
information through Terms of Service at the moment of setting up the button is 
not enough.*?> In the IoT, this means that traders cannot rely on the contractual 
quagmire to inform consumers. The information must accompany the contract 
with which one purchases a product using the button, not the contract laying out 
the general conditions of use of the button (or Thing more generally). Whilst the 
literal meaning of the provision imposes a temporal vicinity between the infor- 
mation and the order,*”° the court took a purposive approach to its interpretation. 
Indeed, the information must be provided in close connection to the order also 
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from a functional and spatial sense (‘Zusammenhang’).*” Practically, this means 
that the necessary information must be displayed on the button or, if not viable, 
in its immediate vicinity. The Dash Button did not display this information in the 
vicinity of both the order and the button itself. Amazon argued that consumers are 
informed of the order via a separate app that they may download on their phones, 
which would send them push notifications. However, this was not considered as 
a satisfactory way to comply with the vicinity requirement, for a twofold rea- 
son: the information is provided after the order, and one can place orders without 
having or using a phone. This has broader relevance as it means that all Things 
that are used for e-commerce purposes must provide the required information in 
close temporal, functional, and spatial vicinity to the order and to the Thing itself. 
Therefore, if one orders something using one’s Amazon Echo, it is not enough 
that they are shown the necessary information on the Alexa app or on Amazon’s 
website. Augmented reality, computer vision, and holograms are just some of the 
approaches that could be used to display the required information when it is not 
viable to display the information on the Thing itself. 

For the aforementioned reasons, and for others that have less relevance from 
this book’s perspective,*”* the Regional Court of Munich granted the consumer 
association an injunction prohibiting Amazon to sell Dash Buttons in Germany.*” 
In January 2019, this decision was upheld by the Oberlandesgericht Miinchen, 
which reiterated the aforementioned arguments.“ The main ground of appeal 
was that the CRD does not apply to the contracts concluded via the Dash Button 
because they fall under one of the directive’s exclusions, namely, ‘for the supply 
of foodstuffs, beverages or other goods intended for current consumption in the 
household, and which are physically supplied by a trader on frequent and regular 
rounds to the consumer’s home, residence or workplace.’**! However, the court 
held that in many scenarios, the button’s orders will fall outside the scope of this 
exclusion because the trader relies on third-party delivery — and therefore the 
products are not physically supplied by the trader. In turn, when the contracts 
fall within its scope, national laws are not bound by the directive and cannot be 
impugned for alleged contrast to them.** As to the use of the terms of service as a 
means to communicate the mandated information, the court of appeals reiterated 
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the reasoning of the regional court and noted that it cannot ‘be assumed that the 
consumer will remember the details of the goods when ordering — some time after 
setting up the button — especially since he uses several dash buttons for different 
products.’**3 This is of great importance in an IoT context. Indeed, since we are 
increasingly surrounded by several Things, with augmented ease of purchase, it 
becomes vital that traders not rely on the ‘legals’ and, instead, inform consumers 
in close temporal, functional, and spatial vicinity to the order. 

The CRD, despite being only ten years old, mostly reflects a world in which 
information was provided in a written form (the leaflet inside the product’s box, 
the ‘legals’ available on the trader’s website, etc.). This is exemplified by the leg- 
ibility requirement that applies when buttons are used to place orders and when the 
transaction is mediated by a trading website. However, the general rule is that the 
information needs to be provided in a clear and intelligible manner, which means 
not necessarily in a written form. Arguably, in an IoT world where there is a rise of 
audio-user and video-user interfaces, consumers should be given information in the 
same format as the one that is usually utilised to interact with the Thing (namely, 
audio or video). The directive’s provisions are often forward-looking and IoT- 
friendly. This is exemplified by the provision whereby when a contract is concluded 
through a distance communication means which allows limited space or time to 
display the information (arguably, most Things, due to their small interfaces), the 
trader has to show only some of the required information on the display before the 
transaction is completed. This is also shown by the ad hoc provision about buttons, 
correctly interpreted as encompassing both virtual buttons and mechanical ones, 
thus confirming that the tangible-intangible divide is fading away. It seems to be 
that EU consumer laws are not in need of a radical overhaul to become fit for a 
world of IoT commerce, where consumers live immersed in a hyperconnected envi- 
ronment and transactions are concluded with the wink of an eye.**4 De lege ferenda, 
lawmakers should amend the CRD by (i) introducing special provisions for when 
transactions are concluded through interface-free Things, (1i) eliminating the leg- 
ibility requirements, and (iii) embracing the principle of interface continuity. The 
ideal way to proceed is to amend the directive, but this will take a long time. In the 
meantime, the latter is flexible enough to allow the courts to keep the enforcement 
of the directive up to date and relevant; this may be done, like in Codifis, by looking 
at transparency as comprehensibility, as opposed to mere legibility. 


3.5 Interim Conclusion 


This chapter focused on three consumer issues in the IoT and critically assessed 
if they can be tackled invoking three EU laws that deal with power imbalances in 
business-to-consumer contracts. 

First, it critically assessed if the Unfair Terms Directive is fit for the contractual 
quagmire. The unfairness ‘of form’ and ‘of substance’ of Amazon Echo’s terms 
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has been analysed, and the conclusion is that they fall under both types of unfair- 
ness and that the IoT contributes to overcoming the form-substance dichotomy. 
Fairness demands better contractual design and more transparent transactions. 
IoT traders, in light of the complexity of the IoT and of the imbalances in terms of 
power and information, must comply with more stringer requirements of fairness, 
with a particularly urgent need to rethink the IoT legals to make them easy to find, 
read, and understand. De lege ferenda, EU regulators should, for once, learn from 
the US counterparts and introduce obligations to draft ‘legals’ that reach at least a 
Flesch-Kincaid readability score that reflects the literacy and cognitive resources 
of the average IoT user (e.g. 70, making the text readable to a 13-year-old). Poli- 
cymakers wanting IoT traders to adopt fairer practices should be aware of the 
IoT’s hierarchy of incentives, whereby traders are more likely to respond to pub- 
lic pressure (e.g. a public inquiry), less likely to respond to financial incentives 
(e.g. the subscription cost), and unlikely to protect consumers who ‘pay’ with 
their personal data. Any inquiry into IoT traders’ contractual practices should also 
take account of the contractual quagmire; therefore, for instance, having traders 
changing their cloud contracts (like the Competition and Markets Authority did) 
without considering that they are only one element of an intricate web of legals 
constitutes an inadequate solution to the problem. 

Second, the chapter explored the possibility of relying on consumer sales laws 
to counter the IoT traders’ private ordering by bricking. It has been proposed that 
the First Consumer Sales Directive’s right to repair can be interpreted as a right 
to have the Thing’s smartness restored. The main limitation of this regime is that 
traders are liable ‘for any lack of conformity which exists at the time the goods 
were delivered.’*®° Arguably, if a trader bricks the Thing after the delivery, that 
lack of conformity did not exist when the Thing was delivered. It has been sug- 
gested that ‘delivery’ be construed broadly. Indeed, since in the IoT the good’s key 
components are intangible, and given that the intangible components are delivered 
throughout the Thing’s life cycle, any deprivation of smartness will, by defini- 
tion, take place at the time of delivery. This approach has been adopted by the 
Second Consumer Sales Directive. As of 1 January 2022, consumers will be able 
to rely on the fact that, where the contract provides for a continuous supply of a 
Thing’s digital elements, the seller shall be liable for any lack of conformity of 
the digital content or digital service that occurs or becomes apparent within the 
period of time during the time of supply. Prima facie, this reform, which will see 
the First Consumer Sales Directive replaced and paired with a directive on the 
supply of digital content and digital services, is loT-friendly. This can be seen in 
the express regulation of goods with digital elements, whose definition broadly 
coincides with the definition of a Thing. An ad hoc rule is that goods with digital 
elements must be kept updated. This may be used to counter one of the practices 
in the private-ordering-by-bricking spectrum, namely, planned obsolescence. The 
main issue with the reform is that there is the risk that certain Things will fall in 
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a regulatory vacuum. If the digital element is necessary for the good to function, 
the Second Consumer Sales Directive will apply. If the tangible aspect is the mere 
carrier of the digital element, the Digital Content Directive will. National lawmak- 
ers, in implementing the reform, must make sure to regulate the grey area between 
the two. 

Third, this chapter looked at IoT commerce and in particular at the challenges 
that an interface-free, hyperconnected environment poses to precontractual duties 
of information. It has been suggested that the general rule to inform consum- 
ers in a clear and intelligible manner should be interpreted in creative ways that 
go beyond the traditional terms of service available on the trader’s website. In 
an IoT world where there is a rise of voice-user and video-user interfaces, con- 
sumers should be given information in the same format as the one that is usu- 
ally utilised to interact with the Thing (namely, audio or video). This principle 
of interface continuity is emerging from both consumer contracts laws and data 
protection laws. However, its full implementation is hindered by the legibility 
requirement that the CRD set forth for some online transactions. This requirement 
clearly refers to a written paradigm and should be abandoned to future-proof the 
directive. Positively, there are special rules that apply to distance communica- 
tion means that have some limitations, e.g. small displays, though they do not 
tackle the issue of the absence of a display or other traditional interface. It is rec- 
ommended to introduce special provisions for when transactions are concluded 
through interface-free Things. 

The regulation of the information that must be communicated in business-to- 
consumer contracts is at the very core of consumer contract laws.*®° However, 
building on insights from behavioural economics, scholars have increasingly 
underlined how the focus on information is often of limited value.*®’ There is 
little recourse against information overload, whilst information omissions are pro- 
hibited.*88 Such a single-minded focus on the necessity to increase information is 
partly overcome by the rise of fairness in EU consumer laws,**’ as seen in particu- 
lar in some laws that protect consumers regardless of a contractual relationship. 
This will be the focus of the next chapter. 
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4 The Internet of Vulnerabilities 


Tackling Human and Product 
Vulnerabilities through Noncontractual 
Consumer Laws 


The less you eat, drink and buy books; the less you go to the theatre, the dance 
hall, the public house; the less you think, love, theorize, sing, paint, fence, etc., the 
more you save — the greater becomes your treasure which neither moths nor rust 
will devour — your capital. 

K. Marx, Economic and Philosophic Manuscripts of 1844 


4.1 Introduction 


Although drafted in a pre-IoT world, the consumer laws analysed in the previous 
chapter can play a tactical role in empowering consumers who are negatively 
affected by issues such as the contractual quagmire, private ordering by bricking, 
and IoT commerce. Their main limitation, however, is that they are contract laws 
and therefore are of little help when (i) there is no contract (or no sales contract, 
if the issue is a faulty product), (ii) the contractual party cannot be identified, 
or (iii) the power imbalance manifests itself outside the contract. Therefore, this 
chapter will consider two consumer laws that look beyond the contract, namely, 
the Product Liability Directive and the Unfair Commercial Practices Directive. 
The JoT-readiness of these laws will be tested by critically assessing whether 
they can be used to tackle the vulnerability of Things and of humans. First, I will 
focus on the Things that are vulnerable inasmuch as they are defective. Current 
legal regimes struggle to cope with new defects (e.g. software updates, inaccu- 
rate sensors, etc.) and vulnerabilities (e.g. the limitations stemming from soft- 
ware instructions and training datasets that affect the capacity to predict human 
behaviour in real-world scenarios). Second, I will deal with the vulnerability of 
IoT users through the lens of the so-called Internet of Personalised Things. In 
April 2021, the European Commission presented a proposal for an AI regulation 
(so-called AI Act) which prohibits the use of subliminal techniques to materially 
distort behaviours and likely cause harm.' The threat goes beyond AI, however. 
Things allow traders to personalise products, services, prices, and ‘legals.’ Situ- 
ational data and granular knowledge of biases and human vulnerabilities allow 
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these traders to manipulate consumers and even discriminate against them, thus 
hindering their trust. In Amazon’s commitment — ‘We seek to be Earth’s most 
customer-centric company,’ — it is possible to find at once one of the key benefits 
and dangers of the IoT: personalisation. 

One may think it accidental that Things and humans share vulnerability as 
a common trait. I would opine that this is no accident. Indeed, capitalism pro- 
duces a double, convergent movement: the objectification of the subject and the 
subjectivation of the object.’ Under capitalism, the commodity compensates for 
the lack of being of the subject and, at the same time, attributes a subjectivity 
to the objects. The production of vulnerable Things — programmed to be con- 
sumed as quickly as possible — and of vulnerable humans — prone to all sorts of 
manipulations — is one of the ways that the IoT realises the capitalistic enter- 
prise. With this in mind, this chapter will answer the following subquestion: can 
the laws on noncontractual business-to-consumer relationships tackle techno- 
human vulnerability? 


4.2 What’s in a Product? EU Product Liability Laws 
and the Challenge of a Defective IoT 


The analysis of Echo’s legals confirmed the findings of previous research show- 
ing that a new legal conception of a ‘product’ may be required in the context of 
the IoT. As products become increasingly smart, they can no longer be reduced to 
their hardware dimension: they have to be rethought as an amalgam of hard- 
ware, software, service, and data.* Even though the Conditions of Use regulate 
‘Amazon Services,’ these are defined to include Amazon devices, products, 
services, apps, and software. Similarly, Amazon Device Terms, despite hav- 
ing tangible products as their core subject, cover also digital content, services, 
and software.° In turn, the Alexa Terms deal mainly with the virtual assistant 
as encompassing services, digital content, and software but regards also Alexa- 
enabled products, meaning ‘any product or application that enables access to 
Alexa, such as Amazon Echo devices and the Alexa App.’’ What happens if an 
Echo consumer is in breach of Alexa Terms and, consequently, can no longer use 
the virtual assistant? The end customer’s ability to use the hardware’s functions 
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will be profoundly affected. Despite attempts through the ‘legals’ to distinguish 
the different elements of the Thing (hardware, software, etc.), this fragmentation 
has become untenable. This convergence has implications for the applicability of 
EU product liability law. 

Product liability is focused on the compensation for damage caused by defec- 
tive products to the consumer or their property. Fitness for use is the not its bench- 
mark; the safety which the public is entitled to expect is.? Product liability regimes 
address the allocation of liability between the producer of a product and its user.!° 
These laws represent a departure from traditional contractual and tortious rules 
under which an injured party in litigation has to prove that the defendant is either 
in breach of contract or at fault and in breach of a duty of care towards the claim- 
ant.'' By contrast, under product liability law, the injured person does not need 
to prove a fault or a breach of contract. Another key difference is that it will usu- 
ally be possible to bring a claim against a broader category of persons.!* Strict 
liability rules exist also beyond defective products, and they tend to protect vul- 
nerable persons and allocate liability on those who are better positioned to prevent 
the harm.'? By imposing strict liability, the law increases the risk of liability for 
the producer, enhances protection and the possibility of redress for the consumer, 
and as a by-product, should ensure the safety and quality of products sold on the 
market. The existence of strict liability regime is of vital importance in an IoT 
world because the characteristics themselves of the IoT — and in particular the 
high degree of autonomation — ‘could make it hard to trace the damage back to a 
human behaviour,’ !4 which renders ordinary, fault-based liability regimes unhelp- 
ful, as recently noted by the European Commission. 

Ensuring the safety of the IoT is crucial because this sociotechnological phe- 
nomenon has led to an overcoming of the distinction between security and cyber- 
security. Hacking would be traditionally seen as a cybersecurity issue, but if one 
hacks a Thing or an IoT system to control them and weaponise them (e.g. a ‘smart’ 
petrol station),'> then the issue would become one of security. Vulnerable Things 
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can damage other Things and systems, often at scale, e.g. when an infected IoT 
botnet executed an unforeseen DDoS attack to bring down online servers.!® More 
generally, potential IoT safety risks can be categorised into malfunction by defect 
or updates, loss of connectivity and product obsolescence, data quality and integ- 
rity concerns, and physical dangers.'? Only some of the risks relate to the tangible 
components of the Thing. 

In the EU, Directive 85/374 (‘Product Liability Directive’) was seen from the 
outset as a response to ‘solving the problem, peculiar to our age of increasing 
technicality, of a fair apportionment of the risks inherent in modern technologi- 
cal production.’ '* With the increase in risks that the IoT carries with it, partly due 
to its being technically complex, the regime cannot be dismissed as not being 
intended to cover recent developments such as the IoT. However, the rules regard- 
ing liability for defective products seem to have been somewhat neglected over 
recent years.!° Indeed, it has been critically noted that while the EU product liabil- 
ity model has been influential internationally, ‘the practical impact of its ideas has 
been close to negligible.’ At least in part, this is due to the fact that these laws 
were written in a time when products were tangible, they would not change after 
the point of sale, and the defects were mostly mechanical. The IoT challenges 
each one of those assumptions, as products live on a continuum between tangible 
and tangible, dynamically change throughout their life cycle, and their defects are 
mostly intangible. 

Although the Product Liability Directive has been relatively dormant, the 
CJEU has recently been asked to consider its application in a case involv- 
ing health-related Things,?! namely, ‘pacemakers and implantable cardioverter 
defibrillators.’?? In Boston Scientific, products contained a defect that could 
result in premature battery depletion and subsequent loss of certain functional- 
ity, including telemetry, that is, the transmission of recorded data to an external 
device. Following identification of the defect, the supplier offered their replace- 
ment free of charge. However, claims were made for compensation in respect 
of the costs of the implantation of the original faulty products. The main issue 
was whether a ‘product belonging to the same group or forming part of the same 
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production series’ could be said to be defective without the need to prove that 
the specific product was defective. The court held that it could, because users had 
high expectations of safety, ‘in the light of (the product’s) function and the par- 
ticularly vulnerable situation of (the users).’?> Such high expectations are likely 
to lower the evidentiary standard in most disputes regarding Things, because the 
latter endanger consumers in novel ways. As noted by the advocate general, ‘mak- 
ing proof of a lack of safety subject to the actual occurrence of damage would 
disregard the preventive function assigned to EU legislation on the safety of 
products.’”° Second, the court was asked to determine whether damage relating to 
death and personal injury?’ extended to the surgical procedure required to replace 
the defective device. The court held that it did, but only if the operation was 
necessary to overcome the defect.*® This will have an impact on all those ‘smart’ 
implantables that require an operation to be removed — their cost of replacement 
will qualify as damage under product liability. 

When Boston Scientific was decided, it was predicted that the implications of 
this decision for product liability regimes could be significant.”? With the explo- 
sive growth of the IoT market and an expansive concept of ‘product,’ the pos- 
sibility of a revival of product liability was foreseeable. Such revival has not 
materialised yet, which may suggest that the Product Liability Directive is unfit 
for purpose. On this basis, it is worth examining the EU regime and considering 
its applicability to the Echo case study and the IoT more generally. 


4.2.1 Are Software, Service, and Data ‘Products’? 


The Product Liability Directive applies to ‘products,’ which are defined as all 
movables even when incorporated into another movable or immovable, and 
including electricity.*° Further clarity around this definition may be found in the 
national implementation measures. In the UK e.g. a product includes ‘a product 
which is comprised in another product, whether by virtue of being a component 
part or raw material or otherwise.’*! In an Echo and IoT context, therefore, a key 
issue is to what extent the ‘product’ can be said to include its intangible com- 
ponent parts, specifically software, service, and data. The Commission saw the 
directive’s definition as extending to software, with Lord Cockfield noting that 
the directive ‘applies to software in the same way . . . that it applies to handicraft 
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and artistic products.’** Notwithstanding the Commission’s statement, uncertainty 
about the application of the directive to software has persisted over the years, 
partly due to the fact that software may be considered a service in certain circum- 
stances. While it is increasingly accepted that product liability applies at least to 
the physical media on which software is supplied and to the software encoded on 
that media, ‘there is some doubt about whether they apply to software delivered 
online (although it is possible that the common law would imply).’?? The concept 
encompasses those products whose ‘essential characteristics . . . are attributable to 
an industrial or other process having been carried out.’*4 This would seem appli- 
cable to a product’s integrated software and does not exclude intangible software 
products. It has been noted?’ that, since the directive does not establish whether 
products must be tangible and its travaux préparatoires focus on preventing risks 
stemming from industrially manufactured products, software products could be 
included. Including intangible products would have also the benefit of ensuring 
convergence between product liability and free movement of goods, since — as 
decided by the CJEU in Jägerskiöld v Gustafsson’! — tangibility is not a require- 
ment for items to be considered goods.*’ This inclusive stance is further corrob- 
orated by the circumstance that, in an IoT world, a large number of everyday 
objects is embedded with — and made vulnerable by — software components and 
that distinguishing between the components of a Thing is becoming increasingly 
difficult, if at all possible. However, it has been argued’! that the directive would 
implicitly focus on tangibles by expressly including electricity as the only intan- 
gible product, and it would concentrate on damages that are typically associated 
with defective tangible goods rather than digital damages. It would follow that 
the directive applies to digital content supplied on a tangible medium and non- 
embedded software that fulfils a component function for a tangible product, but 
not to software without any tangibility. Whilst these arguments are not without 
merit, given the evolution of the market in a direction that was not predicable 
by the lawmakers in 1985, excluding software would mean condemning product 
liability law to irrelevance by obsolescence. 

US-based commentators agree that this issue can be determined by deciding 
whether the reasons for imposing strict liability apply to software.*? In considering 
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the expansion of the scope of strict liability beyond chattels, US courts identify a 
threefold rationale: the placing of a product into the stream of commerce, the pro- 
ducer’s better position to control risks, and the latter’s ability to spread the costs 
of accidents.” It has been claimed that product liability’s rationale does not apply 
to software that is especially designed for the needs and to the order of the con- 
sumer; it would only apply to software which is a standard marketed package — 
both in the US and in the EU.*! This may have been true in the eighties, but it 
is perhaps less convincing in an IoT world, where the distinction between hard- 
ware and software is blurred and IoT players remotely control products, including 
software, remotely and throughout their life cycle. Accordingly, they are better 
positioned to control the risks if compared to consumers who find themselves in a 
position that is weaker than consumers in a pre-IoT world. It can be said that the 
IoT challenges the distinction between especially designed software and standard 
marketed package. 

Therefore, whilst current laws can already be interpreted as including software 
in the concept of product, de lege ferenda such concept should be redefined to 
expressly include software, regardless of whether it is embedded and whether it is 
a standard marketed package. Positively, the European Commission, recognising 
that software may often be classified as a service and not as a product, and that 
non-embedded software may be difficult to classify, recommended a clarification 
of the definition of product to ‘ensure that compensation is always available for 
damage caused by products that are defective because of software or other digital 
features.’*” This change would contribute to making the product liability regime 
fit for the IoT. 

The same can be said for the exclusion of service and data from the concept of 
product. The directive is usually seen as not applicable to services; e.g. it has been 
observed that ‘if the machine learning technology is hosted in the cloud, so that 
its users receive it as a service, the product liability regime will not apply.’ Posi- 
tively, in its process of reviewing the directive, the Commission has noted that 
‘[t]here are open questions about what separates a product from a service (e.g. for 
the Internet of Things, where products and services interact).’“* Data has not been 
dealt with expressly, but it is reasonable to say that the directive was not designed 
to deal with hazards to the safety of people related personal and nonpersonal 
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data.* Currently, defective service and defective data, as such, do not trigger the 
Product Liability Directive, though if they are embedded in a product, including 
software, they should. If Things are a mixture of hardware, service, software, 
and data, then the product’s vulnerabilities should be considered holistically and 
include the Thing’s intangible defects. De lege ferenda, the directive should be 
amended to expressly apply to service and data as such; otherwise, it risks becom- 
ing irrelevant in an IoT world. 

It follows that some of Echo’s terms are potentially unenforceable under prod- 
uct liability rules. For example, in the One-Year Limited Warranty, Amazon states 
that they ‘warrant the Device against defects in materials and workmanship under 
ordinary consumer use’*° and the warranty ‘applies only to hardware components 
of the Device.’*” These limitations are no longer justified. To make sure that the 
regime remains fit for the IoT and, more generally, of predictable application, it 
is to be hoped that the ongoing review of the directive will lead to a clarification 
that products also include software, service, and data. 


4.2.2 Allocation of Liability in Complex Supply Chains 


One of the main concerns of consumers of Things is that the multilayered struc- 
ture of the supply chain could effectively shield IoT companies from liability. 
There is a risk that the manufacturer of the hardware could claim that the software 
developer is the party responsible for any defect or could try to shift responsibility 
to the service provider. The problem is exacerbated in complex ecosystems, such 
as Echo, where, as a result of an intricate and opaque corporate structure, con- 
sumers are contracting with several different traders whose identification is often 
arduous. Under product liability, invoking complex supply chains to disclaim 
liability should not be allowed. Under Article 3 of the Product Liability Directive, 
the concept of the ‘producer’ is multilayered, to prevent any shifting of respon- 
sibility. In the first instance, ‘producer’ means the manufacturer of the finished 
product, or the manufacturer of a component part, or any persons who present 
themselves as the producer, by putting the name, trademark, or other distinguish- 
ing feature on the product.** Additionally, where the product is imported and dis- 
tributed in the territory, that person is deemed responsible as producer, which 
extends the territorial application of the directive to foreign products. Finally, 
where neither the producer nor the importer can be identified, then the supplier 
is considered the responsible producer, unless they can identify the producer, 
the importer, or the supplier’s supplier within a reasonable time.5 However, the 
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preference goes to the producer because, as pointed out by the CJEU in Skov AEG 
v Bilka Lavprisvarehus,*! ‘by obliging all suppliers to insure against such liability, 
it would result in products becoming significantly more expensive.’ Such an 
inclusive and broad concept would seem perfectly applicable to the characteristic 
of IoT markets, where nearly all Things are composite and the supply chain is 
incredibly complex. If the consumer cannot identify the producer, the supplier 
will be the defendant. 


4.2.3 Defect, Damage, and Causal Link in the Liability 
for Defective Things 


Under the Product Liability Directive, the injured person has to prove the defect, 
the damage, and the causal link between the two.® This allocation of the burden 
of proof is the stepping stone to compensation for damage, and on the face of it, 
it would favour consumers as they do not have to prove fault. However, there is 
empirical evidence that it is ‘the most burdensome to consumers.’™4 

With regard to defects, the threshold is that the product does ‘not provide 
the safety which a person is entitled to expect, taking all circumstances into 
account.’*> This is an objective assessment, as courts will consider what the pub- 
lic are entitled to expect, not what they actually expect. This was clearly stated in 
A v National Blood Authority, where inflected blood had caused a group of people 
to contract hepatitis C, and the court — highlighting that there were no warnings 
and no publicity material — held that the blood was defective because ‘the public 
at large was entitled to expect that the blood transfused to them would be free 
from infection.’ This expectation has to be evaluated as at the time the product 
was first introduced to the market, but as held in Gee v DePuy International Ltd,’ 
courts can have regard to everything relevant known about the product, whether 
or not that information had been available when it was first put on the market. 

What constitutes a general expectation of safety may vary considerably depend- 
ing on many factors, including the market segment in which the Thing is deployed. 
In Boston Scientific, the court held that this expectation must be assessed on the 
basis of ‘the intended purpose, the objective characteristics and properties of the 
product in question and the specific requirements of the group of users for whom 
the product is intended.’** With regard to the medical devices under consideration, 
the court felt that an expectation of a near-zero failure rate in an implantable 
device would be reasonable for patients, even though medical experts are aware 
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that such devices are not free of the risk of failure.’ Following the rationale of the 
directive and the vague yet encompassing general expectation test, the producer 
may be held accountable also ‘for a lack of cybersecurity where it is an expected 
product feature to be secured against such attacks.’® Whilst health-related Things 
are a field where one can foresee a rise in product liability cases connected to high 
expectations of safety, similar expectations apply to many other Things, such as 
driverless cars, as one can infer from X BV v Staatssecretaris van Financién.®' To 
date, the standard of proof has varied considerably across the member states. 
However, following Boston Scientific, it now appears sufficient for the claimant 
to demonstrate the risk of a defect or the potential for failure rather than that a 
specific Thing has a defect, which significantly lowers the threshold.® 

The concept of damage under the Product Liability Directive is limited to 
death, personal injury, and damage to any other item of property.“4 Damage to 
the device itself, so-called ‘transaction damage,’ is not covered.®° However, in 
Boston Scientific the court took an expansive view of what damage should be 
compensated, including ‘all that is necessary to eliminate harmful consequences 
and to restore the level of safety which a person is entitled to expect.’® Where 
the damaged property is for private use or consumption, a maximum recoverable 
threshold of €500 is imposed, which would apply to the Echo series. For recov- 
ery of nonmaterial damages, such as distress, this is left for the member state’s 
law to determine.®’ However, as recently confirmed in Schmitt v TÜV Rheinland® 
regarding breast implants, the Product Liability Directive ‘does not preclude the 
application of other systems of contractual or non-contractual liability based on 
other grounds.’”° Since the directive does not affect national laws on torts’! and 
the vast majority of legal systems provide compensation for nonmaterial or moral 
damages, consumers will be able to claim such damages uncapped under general 
tortious liability. De lege ferenda, I echo the European Consumer Organisation’s 
recommendation that the directive should be revised to expressly include nonma- 
terial damages.’ Construing damage as broadly as possible is fundamental in an 
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IoT world to avoid what happens to the US, where the lack of actual harm is the 
prevalent theme in IoT product liability cases.” 

Finally, evidencing the causal relationship between the defect and damage is a 
major problem for consumers, and it can be a challenge particularly when com- 
plex technologies are involved.” The failure to prove the causal link is the main 
reason that courts reject product liability claims in Europe.” The directive relies 
on national rules on the evidence and the establishment of causation; therefore, 
it is useful to look at domestic case law. In Hufford v Samsung Electronics (UK) 
Ltd.” e.g. the claimant proved defect and damage but was unable to discharge the 
burden of proof that a fridge-freezer caused a fire in their home. Such difficulties 
led some member states and consumer groups to call for the Product Liability 
Directive to be amended either to reverse the burden of proof or to adopt a pre- 
sumption of producer liability.” Recently, the Expert Group on Liability and New 
Technologies”? has suggested that the burden of proof could be linked to compli- 
ance with specific cybersecurity obligations set by law: the noncompliance would 
lead to a reversal in the burden of proof. Perhaps unsurprisingly, producers and 
insurers contest these proposals.” 

A related issue is whether consumers can only rely on uncontested scientific 
research to prove the causal link or if national laws can provide for a lower thresh- 
old. An answer can be found in the recent N.W v Sanofi Pasteur case, where it 
was held that, despite medical research neither establishing nor ruling out the 
existence of a link between the administering of a vaccine and the occurrence of 
a disease, courts may find in favour of the consumer if ‘certain factual evidence 
relied on by the applicant constitutes serious, specific and consistent evidence 
enabling it to conclude that there is a defect in the vaccine and that there is a 
causal link between that defect and that disease.’*! Therefore, even though IoT 
consumers cannot rely solely on presumptions® and carry the burden to prove 
defect, damage, and causal link, the evidentiary threshold is a relatively low one. 
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4.2.4 Product Liability Defences and IoT: Friends or Foes? 


It is not permissible for a producer to limit or exclude their liability under the 
Product Liability Directive. Therefore, contractual provisions such as Amazon 
Prime Terms accepting liability only ‘for fraudulently concealed defects’** are 
unenforceable. Additionally, given the overlaps between the different consumer 
laws, such terms would likely be considered also an unfair commercial practice 
and an unfair term.®° However, producers can raise various defences under this 
directive, namely: 


(i) They did not put the product into circulation;* 
(ii) The product was not made for sale or other distribution for economic pur- 
pose or not manufactured or distributed in the course of business;°” 
(iii) The defect was due to compliance with mandatory regulations;** 
(iv) The defect could be attributed to the product in which the component has 
been fitted;®? 
(v) The ‘development risk’ or ‘state-of-the-art’ defence” — the state of scientific 
and technical knowledge when the product was put into circulation — was 
‘not such as to enable the existence of the defect to be discovered;’”! 
(vi) The ‘later defect’ defence — the defect did not exist when the product was put 
into circulation.” 


Defences v and vi are the most relevant in the context of the IoT. First, the devel- 
opment risk defence requires courts to consider whether the defect could be dis- 
covered based on all scientific and technical knowledge available at the time that 
it was put into circulation, including ‘the most advanced available (to anyone, not 
simply to the producer in question).’™ 

As the travaux préparatoires show, the development risk defence was seen 
as a compromise between consumer protection and innovation.” Since 1985, 
debate has continued over its relative costs and benefits for both consumers and 
producers. It has been held that this provision does not require consideration of 


83 Product Liability Directive, art 12. 

84 Amazon Prime Terms and Conditions, point 6. 

85 Reed (n 33). 

86 Product Liability Directive, art 7(a). 

87 Product Liability Directive, art 7(c). 

88 Product Liability Directive, art 7(d). 

89 Product Liability Directive, art 7(f). 

90 Bernhard A Koch, ‘The Development Risk Defence of the EC Product Liability Directive’ (2018) 
20 Pharmaceuticals Policy and Law 163. 

91 Product Liability Directive, art 7(e). 

92 Product Liability Directive, art 7(b). 

93 National Blood Authority (n 56) [49]. 

94 Fondazione Rosselli, ‘Analysis of the Economic Impact of the Development Risk Clause as Pro- 
vided by Directive 85/374/EEC on Liability for Defective Products’ (2014) Study for the European 
Commission Contract No. ETD/2002/BS5. 


196 The Internet of Vulnerabilities 


the ‘practices and safety standards in use in the industrial sector in which the 
producer is operating,’> which would be a consideration under a traditional 
negligence analysis.*° Instead, it requires a more holistic perspective involving 
considerations of accessibility.” The EU lawmaker was aware that this defence 
could provide producers with too much wiggle room, especially in sectors such 
as ICTs, where states of industry knowledge change rapidly and can be difficult 
to determine with certainty. It therefore provided member states with an option to 
exclude this defence, such that a producer would be liable ‘even if (they prove) 
that the state of scientific and technical knowledge at the time when (they) put the 
product into circulation was not such as to enable the existence of a defect to be 
discovered.’?’ Countries such as Luxembourg and Finland availed themselves of 
this option to the benefit of consumers of high-tech products.” 

Technological advances such as the IoT have an ambiguous relationship to the 
development risk defence. Indeed, on the one hand, the increased complexity of 
the Things, especially of their software components, makes them more prone to 
vulnerabilities. !° On the other hand, decisively, IoT and AI produce huge amounts 
of information, including information that can be used to predict the risks associ- 
ated to a product.'®! All in all, the rise of the IoT is likely to be exploited tactically 
by IoT companies to argue the unpredictability of defects, thus avoiding liability, 
while consumers will be able to underline how the IoT calls for a lower threshold 
of predictability. 

A second relevant defence is the later defect defence, whereby the defendant 
claims that the defect did not exist when the product was put into circulation. 1°? 
Its rationale is that ‘the manufacturer has control over the product until that 
moment.’!® With the shift from analogue to digital and, finally, to ‘smart,’ pro- 
ducers do have control over Things also after the point of sale, and this is not 
currently reflected in the law. Not only producers can remotely control and moni- 
tor Things, but also, the IoT is often open to third-party additions and interven- 
tions.'* The unfitness of the defence becomes even more palpable where Things 
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embed AI and can therefore learn and change over time, with limited possibilities 
for the producer to predict the new defect.!° 

Finally, though it is not strictly speaking a defence, producers can rely on the 
argument that the consumer initiated proceedings after the time limit of three 
years that runs from ‘the day on which the plaintiff became aware, or should 
reasonably have become aware, of the damage, the defect and the identity of the 
producer.’'®° In case of hidden defects, therefore, potentially no time limit will 
apply, other than the ten-year limitation period.'!’ Such statute of limitations is 
arguably in violation of the human right of access to a court under the European 
Convention of Human Rights! in cases where it is scientifically proven that 
an individual could not know that they were suffering from a particular disease 
caused by a defective product within ten years, similarly to Moor v Switzerland.'! 


4.2.5 Product Liability’s Interplay with Complementary Regimes 


Product liability regimes are closely linked with the related field of product 
safety law, whose main instrument is Directive 2001/95 (General Product Safety 
Directive).''° While the Product Liability Directive addresses liability for defects 
in a product that is already on the market, the General Product Safety Direc- 
tive imposes controls on the quality of products before they can be placed on the 
market. A product can be ‘secure’ under the product safety regime and ‘unse- 
cure’ under the product liability regime.''! The main obligation of producers is 
to ensure that only safe products are placed on the market.'!* Products are safe 
if they do not present any reasonably foreseeable risk or only the minimum risks 
compatible with the product’s use, ‘considered to be acceptable and consistent 
with a high level of protection for the safety and health of persons.’!!? As an 
example of an unsafe Thing, in 2019 it was found that Mazda’s braking system 
(Smart Brake Support) had been inappropriately programmed, and therefore, 
it might unexpectedly trigger the brakes, thus increasing the risk of accidents. 
Mazda was forced by the Romanian authorities to recall the product, and Bel- 
gium, Bulgaria, Estonia, Finland, Germany, Poland, Portugal followed suit.!!4 
This is no isolated incident, as the number of unsafe Things rise, e.g. smart watch 
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in Iceland that could allow anyone to track and contact the child wearing it,!!5 to 
a connected car in Germany whose software security gaps could be exploited to 
hack the interconnected control systems in the vehicle.!'!® The main shortcoming 
of product safety legislation is that it does not provide for specific mandatory 
cybersecurity requirements,''” at least not expressly. However, if one accepts that 
the IoT disrupts the security-cybersecurity binary, it should follow that existing 
security requirements should be interpreted extensively to cover cyber threats.!!® 
Hopefully, three proposals — the new Machinery Regulation, the Directive on the 
Resilience of Critical Entities,!!® and the NIS 2 Directive!?° — will provide the 
perfect opportunity to abandon the obsolete binary. 

With respect to the IoT, there is a range of potentially applicable product safety 
laws at an EU level, both horizontal and vertical. Indeed, the General Product 
Safety Directive is complemented by sector-specific laws, such as the directives 
on Machinery and Medical Devices, '?! particularly useful to maintain the safety 
of robots!” and Things used in healthcare.!?? These provide for ex ante compli- 
ance procedures coupled with an ex post oversight mechanism. The compliance 
procedures may be carried out by external ‘notified bodies’ or through self- 
certification mechanisms. Once a product completes the ‘conformity assessment 
procedure’ (also known as ‘type approval’), it can be placed on the European 
market. Once on the market, if a defect is subsequently identified, the associated 
exposure under the Product Liability Directive should create a positive feedback 
loop into the producer’s product safety management systems.'*4 This could ben- 
efit the IoT e.g. by incentivising producers to have software update procedures in 
place, to enable ‘defects’ to be addressed over-the-air, rapidly, and en masse. !?5 
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Such obligation may be seen as stemming today from the requirements to deliver 
updates to avoid ‘lack of conformity’ disputes under the reformed EU consumer 
sales law and digital content law.'”° Since the lack of conformity covers both legal 
and factual defects and does not require a qualified damage (death, injury, damage 
to property), consumer sales law is likely to have broader application than product 
liability. However, consumer sales law has its own limitations, mainly due to its 
focus on the contractual relation and the requirement that the parties conclude 
a sales contract. Therefore, consumers will have to see on a case-by-case basis 
which strategy would more likely be successful. 


4.2.6 Time for a Reform of Product Liability? 


The Product Liability Directive has constituted a model for other countries and 
has been generally seen as striking a fair balance between consumer protection 
and competition.'?7 However, technological developments such as the IoT are 
showing that a revision would now be timely. In 2018, the European Commission 
published its fifth report on the application of the directive.'7* There, it underlined 
that many ‘products available today have characteristics that were considered 
science fiction in the 1980s. The challenges we are facing now and even more 
acutely in the future (relate to) the Internet of Things.’!?? This is in line with 
this book’s contention that the IoT calls for a rethinking of the concept of prod- 
uct. Moreover, the Commission noted that stakeholders have expressed concerns 
about the continued relevance of the directive’s concepts and that, in particular, 
the good-service distinction is blurred.'*° As noted above, whilst the directive 
is flexible enough to deal with software products, the other digital components 
embedded in most Things, namely, service and data, are usually seen as currently 
escaping this strict liability regime, although more inclusive interpretations are 
possible. 

In the context of the Fifth Report, the Commission carried out a formal evalu- 
ation of the Product Liability Directive with a focus on IoT and autonomous 
systems. There, they underlined that the IoT involves different actors in the 
value chain, ‘which all enable the technology to function (product manufactur- 
ers, software producers, the connectivity service, sensor manufacturers, owners 
of the object, service providers etc.), 13! and added that IoT applications ‘have 
a very open ecosystem, where new features can be added by the user or even 
third parties to create a new one.’!*? Arguably, despite the IoT’s relational black 
box, the product liability regime can be regarded as fit for purpose thanks to a 
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broad definition of producer and to the possibility to bring an action against 
the supplier should the producer remain unidentified. The Commission’s formal 
evaluation was supported by an external study! that inter alia gathered evi- 
dence that consumers experience product liability issues with regards to Things 
and that consumer organisations ‘see difficulties in obtaining compensation for 
the damages suffered in case of defective products based on new technological 
developments.’ 134 

In February 2020, the Commission published a report on the safety and liabil- 
ity implications of AI, IoT, and robotics.!*> There, alongside already-mentioned 
issues around the concept of product and defect, the Commission warned of the 
dangers of a likely rise in the defences of later defect and development risk. 
This is due to the fact that ‘[c]ybersecurity weaknesses . . . may also appear at 
a later stage, well after the product was put into circulation.’!° To include post- 
sale defects in the scope of product liability would be justified by the increased 
risks and increased control that are connected to the IoT, as well as to the fact the 
(cyber)security risks are inherent to the IoT environment that requires openness 
and connectivity. IoT-friendly amendments will have to revolve around a revisita- 
tion of the concept of ‘putting into circulation,’ which is no longer justified as the 
be-all and end-all of product liability. 

In light of this, and given the directive’s partial unfitness for purpose, it would 
be crucial to see IoT-ready amendments and guidelines for interpretation and 
application. Guidance from the Commission was expected in mid-2019 with the 
promise to consider an update to the concepts of defect, damage, product, and 
producer,'?” but as of May 2021, it has not been published yet. Hopefully, it will 
help overcome distinctions that the IoT shows to be outdated, such as product- 
service, hardware-software, and cybersecurity-security. 13° 

In the current stage of development of capitalism, the vulnerability of the 
Things cannot be fully comprehended without also considering the vulnerabil- 
ity of the consumers using them. Therefore, the second part of this chapter will 
critically assess how the law deals with that particular type of vulnerability that is 
generated by what we call ‘the Internet of Personalised Things.’ 


4.3 Can We Trust the Internet of Personalised Things? 


To carry out this assessment, I will focus on the Unfair Commercial Practices 
Directive, which aims at protecting consumers against unfair business-to-consumer 
commercial practices before, during, and after a commercial transaction in relation to 
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a product.!*° The key point is to avoid that traders, through misleading or aggres- 
sive practices (e.g. by creating the impression that the consumer cannot leave the 
premises until a contract is formed),'*° prevent consumers from making informed 
and free choices.'*! We have already seen that the IoT constitutes a challenge 
to consumer decision-making. This section deals with how the IoT can curtail 
consumers’ autonomy, freedom of choice, and self-determination through per- 
sonalisation. This will constitute the basis for the next section’s critical assess- 
ment of whether the Unfair Commercial Practices Directive provides an adequate 
response to the issues raised by the ‘Internet of Personalised Things.’ 

In the Internet of Personalised Things, IoT data allows traders to personalise 
products, services, prices, and even ‘legals.’ Thanks to detailed and situational 
data about the consumer, context-specific targeting capabilities, and remote con- 
trol over the Thing, IoT traders can go beyond the personalisation of their offers 
(targeted advertisements) and the innovation of their content delivery:'” they can 
personalise the way products are built, priced, negotiated, sold, and interacted 
with by consumers. Things are dynamic products that can be remotely changed 
during their life cycle to respond to the consumer’s preferences and behaviours. 
Echo learns about its users over time, and its answers become increasingly more 
relevant. Improved tracking and profiling capabilities allow IoT traders to tar- 
get consumers with more relevant offers and at a price that mirrors their spend- 
ing capabilities and is often determined automatically.'*? For example, research 
showed that the same search for holiday bookings can lead to different results, 
depending on whether or not one has deleted the cookies.'*4 Whilst personali- 
sation is a trend that goes beyond the IoT, there is evidence that, in this field, 
‘[p]roduct data increasingly underpins finer-grain product personalization.’ !45 

Personalisation is not all bad. Positive examples of personalisation come 
from personalised healthcare, where postoperation treatments can be provided 
remotely and at home using commercially available Things. One can stand up and 
walk in front of Kinect (Microsoft’s motion-sensing Thing), which can automati- 
cally tell patients if they are regaining their strength.'*° loT-powered personalised 
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medicine is used not only for postoperation treatments but also for diagnosis, as 
exemplified by the smart toilet that, leveraging pressure and motion sensors, as 
well as computer vision and deep learning, analyses the colour, flow rate, and 
volume of a user’s urine using ‘with performance that is comparable to the perfor- 
mance of trained medical personnel.’ !4” 

Personalisation becomes negative when it leads to consumer manipulation in 
the form of decision-making that maximises the trader’s profit and adversely 
affects the consumer’s autonomy, freedom of choice, and self-determination. 
This is connected to a number of factors, such as the IoT-produced information 
overload. Indeed, there is evidence that ‘an increase in the amount of personal 
information decreases information processing ability, and this hinders rational 
decision-making.’'*8 The dynamic nature of Things, incrementally learning 
about their users, can also lead to lock-in effects. This is exemplified by Ama- 
zon’s warning that, if we decide to protect our privacy by deleting Alexa’s voice 
recordings associated with our account, this ‘may degrade your experience.’ 14? 
Ultimately, the IoT is changing the customer-trader relationship, which becomes 
far more direct and personalised,!5 hence Amazon’s and other major IoT players’ 
pledge to espouse customer-centrism as their philosophy. Such direct relation- 
ship, or its appearance, can provide IoT traders with unprecedented opportuni- 
ties to manipulate consumers. IoT-powered analytics not only predicts consumer 
behaviours but also changes them and makes them more predictable — targeted 
ads can, over time, profoundly affect consumers’ likes and dislikes.!5! One need 
only think of Facebook’s experiment where the social networking site manipu- 
lated the newsfeed to see how this would affect the users’ emotions.!5? Even the 
‘legals’ can be personalised, as already happens in pay-as-you-drive car insur- 
ance models.!* Personalised Things can be used to nudge consumers into chang- 
ing their behaviour and shape their habits.!54 By monopolising our attention, our 
Things can make us into less-alert, more-e-commerce-ready consumers. Instead 
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of using retail shelves, IoT consumers browse pages of search results — the ‘digi- 
tal shelves’ — looking for answers to their questions and shopping opportunities. 
Space on the digital shelf is limited, e.g. if I ask Echo Show to search for boots, 
due to the size of the display, it will only show me few models and brands. 
Therefore, ‘competition to capture the consumer’s attention can be intense,’ !55 
and those who control the digital shelf control consumers’ attention.!56 Thus, the 
IoT may play an important role in determining who will win the internet’s atten- 
tion wars, that is, the constant struggle to attract and monopolise the attention 
of increasingly distracted consumers.'*’ Consumer manipulation can even alter 
our beliefs, as evidenced by how Russian hackers and trolls allegedly helped 
win the 2016 US election in Trump’s favour.!58 Personalisation, finally, can hide 
forms of discrimination. This happens if e.g. Facebook does not show certain job 
opportunities to women and non-binary users.!5° Considering the practices of 
the ‘attention markets’!°° as mere personalisation is giving a colourable face to 
manipulation and discrimination.'°! 

Manipulation is a phenomenon that has been observed since the nineties. Back 
then, it was called ‘market manipulation.’!® It revolves around the fact that manu- 
facturers have incentives to exploit cognitive biases ‘to shape consumer percep- 
tions throughout the product purchasing context . . . [a]Jdvertising, promotion and 
price setting all become means of altering consumer risk perceptions.’ 16 With the 
digital revolution, market manipulation becomes pervasive and is increasingly 
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referred to as ‘consumer manipulation’! or ‘digital market manipulation.’!® It 
combines for the first time what Ryan Calo calls ‘a certain kind of personalization 
with the intense systematization made possible by mediated consumption.!®° Mar- 
keting is systematised as automated commercial messages flood mail and emails; 
‘online advertising platforms match hundreds of thousands of ads with millions 
of Internet users on the basis of complex factors in a fraction of a second.’!® 
The shift comes with the systematisation of the personal. Traditionally, ads could 
exploit general consumer vulnerability (e.g. the ‘price blindness’ that makes most 
consumers perceive €9.99 as closer to €9.00 than to €10).!68 Now it is possible to 
change the digital environment of transactions to exploit each consumer’s cogni- 
tive style, bias, vulnerability, and idiosyncrasy. We have already seen this when 
dealing with the IoT commerce’s immersion in hyperconnected transacting envi- 
ronments. The IoT allows more refined forms of personalisation. Such enhanced 
personalisation can lead to manipulation, and as concluded by the European Data 
Protection Supervisor, ‘online manipulation poses a threat to society.’ 16° 
IoT-enhanced personalisation, and hence manipulation, can affect autonomy, 
freedom of choice, and self-determination more profoundly than other ICTs 
because of the combined effect of five features of the IoT. First, being ‘always 
on,’ Things produce a wealth of granular data (e.g. UK smart meters generate 
21.2 billion megabytes of data each year).'7° Second, thanks to its networked 
dimension, the IoT allows traders to track and profile users across Things and 
IoT systems and in increasingly sophisticated ways. For example, using signals 
that can be picked up by a consumer’s Things but not heard by the consumer 
themselves, IoT traders can map all the Things used by the same consumer, which 
makes cross-device tracking easier.'7! Third, the IoT provides increased opportu- 
nities to target consumers. This derives from its being ubiquitous: around us when 
we walk (smart city), when we are in our own home (smart home), and it even 
invades the most private of spaces, that is, our body — the Internet of Bodies.'” 
Therefore, consumers can be targeted with ads, political messages, or any type of 
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manipulative content at any given moment and anywhere. Fourth, targeting tech- 
niques become increasingly personalised. Thanks to the wealth of data produced 
by Things, the use of behavioural research ‘to exploit the biases, emotions, and 
vulnerabilities of consumers,’!” and new technologies allowing refined emotion 
recognition, IoT traders know what the best way is to target a consumer and when. 
They may know that consumer X is more susceptible to short video content when 
they are sad and target them using short video content when the data (e.g. one’s 
tone of voice) suggests that the consumer is sad. Fifth, the IoT furthers the power 
imbalance between consumers and traders. Tackling this imbalance is the ratio- 
nale for most consumer laws, designed to address an imbalance that has its roots 
in, but is not limited to, information asymmetries and economic power. The IoT 
exacerbates this, mainly because of the power to remotely control, downgrade, 
‘brick’ the Thing throughout its life cycle. The consumer knows that the trader 
can take away any functionalities of the Thing or even make it unusable. This 
provides an incentive not to react to unfair practices. 


4.3.1 IoT-Enhanced Consumer Manipulation as an Unfair 
Commercial Practice 


The negative effects of personalisation that can be referred to as ‘Internet of Per- 
sonalised Things’ have been correctly considered as inherently unfair.'7* They 
can harm consumers’ trust in the IoT. As noted in a study on smart dolls,!” to 
find out that free choice is illusory and that monitoring and data-sharing prac- 
tices are invasive and hidden leads to a loss of trust. Without trust, the IoT will 
not unleash its potential. Since the Unfair Commercial Practices Directive is 
aimed at countering misleading and aggressive practices and at building trust in 
the internal market,'”° this section will inquire whether unfair trading law can 
provide an adequate response to the risks of the Internet of Personalised Things. 
In doing so, this section will analyse this directive as amended by Directive (EU) 
2019/2161, that is, the Enforcement and Modernisation of Consumer Protection 
Directive. It has already been seen how the latter amended the Consumer Rights 
Directive and the Unfair Terms Directive. This reform, part of the ‘New Deal 
for Consumers’ package,!”’ increases the effectiveness of consumer protection 
against unfair practices as now member states have to provide consumers not 
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only of the right to seek an injunction but also compensation, price reduction, 
and the termination of the contract.!’8 The reform made the Unfair Commercial 
Practices Directive more IoT-ready thanks to a broader definition of product — 
‘any good or service including immovable property, digital service and digital 
content, as well as rights and obligations’!’? — and for the reasons detailed in the 
following passages. 

A study on the implementation of the Unfair Commercial Practices Directive 
showed that it considerably improved consumer protection thanks to two of its 
specific features, namely, its horizontal safety-net character and its combination 
of principle-based rules with a ‘blacklist’ of specific prohibitions of certain unfair 
practices.!®° This full-harmonisation!*! directive strongly protects consumers in 
all sectors; in this sense, it provides a safety net that bridges the gaps that are 
left unregulated by other EU sector-specific rules.'*? Indeed, it applies to all 
unfair business-to-consumer commercial practices, specifically ‘any act, omis- 
sion, course of conduct or representation, commercial communication including 
advertising and marketing, by a trader, directly connected with the promotion, 
sale or supply of a product to consumer.’'!*? The concept has been interpreted 
broadly by the CJEU; for instance, in UPC'* the court stated that even individ- 
ual acts and omissions amount to ‘commercial practices,’ thus overcoming more 
restrictive national rules epitomised by the UK case R v X Ltd,'® where single 
incidents would fall within the scope of unfair trading laws only depending on 
the circumstances of the case.!*° Similarly, in Vanderborght, the CJEU confirmed 
a broad notion of commercial practice, which would cover the advertising of 
oral and dental care services ‘whether through publications in advertising peri- 
odicals or on the internet, or through the use of signs.’!8’ Even more explicitly, 
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the CJEU in Dyson v BSH!® gave ‘commercial practice’ a ‘particularly broad 
formulation,’ !* including all practices that originate from traders and are directly 
connected with the promotion, sale, or supply of their products to consumers. 
This first feature — the horizontal safety-net character — suggests that the direc- 
tive is fit for the IoT because it takes account of the latter’s sectoral fragmenta- 
tion as well as of the many forms that personalisation and manipulation can take. 
Amazon Echo e.g. may influence a consumer by manipulating the search results 
and not making it clear that the items recommended for purchase are shown 
because their manufacturer paid a fee for them to be ranked higher. These types 
of manipulation are becoming increasingly common and may not necessarily be 
captured by other consumer laws. Positively, the Enforcement and Modernisa- 
tion of Consumer Protection Directive introduced specific provisions regarding 
e-commerce searches and rankings. In particular, first, it defined ‘ranking’ as the 
relative prominence given to products, as presented, organised, or communicated 
by the trader, irrespective of the technological means used for such presenta- 
tion, organisation, or communication.!”° Second, it clarified that not to inform 
the consumers about the main parameters determining the ranking of products 
presented to them ‘as a result of the search query and the relative importance 
of those parameters, as opposed to other parameters, !°! is a misleading omis- 
sion. Third, it blacklisted (i.e. made automatically unfair) the practice to provide 
search results in response to a consumer’s online search query without clearly 
disclosing any paid advertisement or payment specifically for achieving higher 
ranking of products within the search results.!°* This is a commendable strength- 
ening of consumer protection that builds on national best practices. Indeed, 
ranking manipulation was already considered misleading in Germany, where 
the Landgericht Berlin (Regional Court of Berlin) sanctioned a well-known 
comparison and booking service that enabled hotels to manipulate the ranking 
by paying higher commission fees.!%} Similarly, in France the Conseil d’État 
observed that the practice was unfair and noted that fairness means good faith in 
the provision of a ranking service, ‘without trying to alter it or manipulate it for 
purposes that are not in the users’ interest.’!°* The qualification of these practices 
being unfair will soon be complemented by a new obligation that the forthcom- 
ing Digital Markets Act will place on ‘gatekeepers’ (a provider of core platform 
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services, such as search engines and social networking services).!°> Gatekeepers 
will have to refrain from treating more favourably in ranking services and prod- 
ucts offered by the gatekeeper itself or by any third party belonging to the same 
undertaking compared to similar services or products of third party and apply fair 
and nondiscriminatory conditions to such ranking.'°° Such a clear and EU-wide 
protection against this form of consumer manipulation is of utmost importance 
in the IoT mainly because of the latter’s limited interfaces. Most Things will be 
able to display only one or a few search results; therefore, consumer freedom of 
choice risks being severely curtailed by practices attempting to manipulate the 
way search results are ranked. This links back to the issues of the digital shelf 
and the attention wars seen above. 

An objection to the application of unfair trading laws to loT-enhanced manip- 
ulation could be that it is the Thing, not the trader (e.g. Amazon), that puts in 
place manipulative practices. Such an objection could be easily defeated by 
noting that the definition of ‘commercial practice’ does not require the promo- 
tion, sale, or supply to be done by the trader itself. As held in R. v Scottish and 
Southern Energy Plc,'°’ a nontrading holding company can be regarded as a 
trader putting in place unfair commercial practices despite the latter being the 
direct responsibility of one of the subsidiary’s employees. In that case, there 
was evidence that the training of the subsidiary’s employees was done with the 
holding company’s involvement and under its ultimate supervision and control, 
even if it was acting in conjunction with, and left the details to, the subsidiary. 
If a nontrading holding company can be held liable for the unfair practices of 
one of its subsidiaries’ employees, then IoT traders will be liable for the unfair 
practices carried out by their Things, since they train, supervise, and ultimately 
control them. 

The success of the Unfair Commercial Practices Directive derives also by the 
joint operation of principle-based rules and a ‘blacklist’ of specific prohibitions of 
some unfair practices. The former consists of outlawing: 


(i) The practices that are in contravention of professional diligence;!% 
(ii) Misleading actions;! 
(iii) Misleading omissions; and 
(iv) Aggressive practices.?°! 
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In doing so, the directive and its national implementations, e.g. the UK Consumer 
Protection from Unfair Trading Regulations 2008,” do not describe individual 
practices (e.g. price discrimination) but set out some requirements that, if made 
out, indicate that a practice is unfair. Whereas these rules require a case-by-case 
assessment of their unfairness, the blacklisted practices are considered unfair in 
all circumstances. 

The principle-based rules can be beneficial to counter the negative effects of 
the Internet of Personalised Things. Indeed, they allow the directive to adapt to 
fast-evolving products, services, and sales methods and prevent unfair behaviour 
that is not covered by specific prohibitions.” Each rule will be analysed in turn. 


4.3.1.1 Unfair Commercial Practices That Are Contrary to the Requirements 
of Professional Diligence: Vulnerable by Design? 


Under Article 5 of the directive, a commercial practice is unfair if it is contrary 
to the requirements of professional diligence and is likely to materially distort 
the average consumer’s economic behaviour. An unfair commercial practice 
of this type was at issue in Office of Fair Trading v Ashbourne Management 
Services Ltd,?°* where a gym described members who wished to terminate their 
agreements before the end of a minimum subscription period as ‘defaulters’ and 
threatened to register that information with credit reference agencies. This was 
contrary to professional diligence, because a gym’s subscription is not a regulated 
credit agreement and the ‘debt’ was, in reality, nothing more than unliquidated 
damages. In the context of the IoT, one of the commercial practices that may be 
considered contrary to professional diligence would be the sale of a Thing with 
preinstalled software without any option for the consumer to purchase the same 
model of Thing not equipped with preinstalled software, as was the case in Deroo- 
Blanquart.?% On this front, the proposed Digital Markets Act will strengthen 
consumer protection by obliging gatekeepers to allow end users to uninstall any 
preinstalled software applications on their core platform service.” 

For a commercial practice to be found unfair and contrary to professional dili- 
gence, three requirements have to be made out. The practice must: 


(1) Be contrary to professional diligence; 
(ii) Likely lead to an unwanted transactional decision; and 
(iii) Regard the average consumer. 
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The first requirement is straightforward. The practice must be contrary to pro- 
fessional diligence, that is, the standard of special skill and care which a trader 
may reasonably be expected to exercise towards consumers, commensurate with 
honest market practice or good faith in the trader’s field of activity.” Codes of 
conduct and professional bodies regulations will play a role in defining the rel- 
evant standards.?°8 

Second, the practice must materially distort the economic behaviour of con- 
sumers by appreciably impairing their ability to make an informed decision, thus 
potentially causing them to make a transactional decision that they would not 
have taken otherwise.” Transactional decisions are defined as: 


Any decision taken by a consumer concerning whether, how and on what 
terms to purchase, make payment in whole or in part for, retain or dispose of 
a product or to exercise a contractual right in relation to the product, whether 
the consumer decides to act or to refrain from acting.?"® 


It is settled case law that ‘transactional decision’ must be interpreted in a broad 
way. In Trento Sviluppo?'! it was held that this concept covers not only the deci- 
sion whether or not to purchase a product but also decisions directly related to 
the former. In that case, the directly related decision was the decision to enter the 
shop; in the IoT, a similar situation would configure if the IoT trader manipulated 
the consumer into keeping the Thing ‘always on.’ This could be the result of 
design choices, e.g. if the Thing does not come with a button to switch it off (e.g. 
Google Home). This trend justifies calls for a right to be disconnected.?!” 

Third, ‘average consumer’ refers to the consumer who is reached by the prac- 
tice, to whom the practice is addressed, or when it is directed to a particular group 
of consumers, the reference will be to the average member of that group. The 
Unfair Commercial Practices Directive does not define the average consumer, but 
the CJEU?" and the national authorities?!* tend to consider it as reasonably well- 
informed and reasonably observant and circumspect, taking into account social, 
cultural, and linguistic factors. As observed in UPC,?!> the average consumer is 
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‘economically weaker and less experienced in legal matters than the other party 
to the contract.’?!° In that case, it followed that it did not constitute a defence 
for the trader to prove that the consumer could have obtained the correct informa- 
tion by themselves. A more trader-friendly approach is taken in those jurisdic- 
tions, such as England, where the average consumer is seen as taking reasonable 
care of themselves rather than, to put it in Brigg J’s emphatic words in Office of 
Fair Trading v Purely Creative Ltd?!" ‘the ignorant, the careless or the overhasty 
consumer.’?!§ Leaving aside this perhaps caricatural representation of the EU 
concept of average consumer, one should wonder if pervasive sociotechnological 
phenomena such as the IoT affect the standard of ‘average consumer’ and make 
us all ignorant, or at least more vulnerable, compared to the average consumers of 
nonsmart products.?!° As Ugo Mattei recently put it, smart products are making 
us ‘dumb’ in the sense that the IoT is transforming us into commodities akin to 
cyborgs.?”° 

Vulnerable consumers enjoy special protection in the context of the unfair prac- 
tices that are in violation of professional diligence.?! Indeed, Article 5(3) of the 
directive provides special rules that apply when the practice can affect a group 
of consumers who are particularly vulnerable.”?? They may be vulnerable either 
to a commercial practice or to the underlying product.??? For example, one could 
be vulnerable to the practice consisting of the exploitation of every Thing in a 
consumer’s smart home to deliver ads. Vulnerability to products may apply, for 
instance, to a scenario where Amazon uses its emotion-recognition technology?” 
and its knowledge of the consumer behaviour to target them with ads regarding 
immune system boosters when the consumer is worried that they are about to get a 
cold. Traditionally, it has been recognised that vulnerability can be related to igno- 
rance, necessity, or trust.°?> In a recent study regarding IoT targeting, it has been 
suggested that a fourth cause of vulnerability should be the susceptibility to digital 
market manipulation.” The argument could be put forward that the Internet of 
Personalised Things is making us all vulnerable. The matter has practical rele- 
vance because if a commercial practice is likely to distort a vulnerable consumer’s 
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behaviour, then it ‘shall be assessed from the perspective of the average member 
of that group,” which means a lower threshold for a finding of unfairness. 

This provision does not tackle all types of vulnerability, at least not expressly. 
It deals only with consumers who are vulnerable because of their mental or physi- 
cal infirmity, age, or credulity and only inasmuch as the trader could reasonably 
be expected to foresee the economic behaviour’s distortion. The first two types 
of vulnerability are self-explanatory and are not particularly relevant from an IoT 
angle. They may nonetheless play a role in the fields of smart ageing and games 
because of the targeting of the elderly and of the children. It has been observed 
that ‘[m]illennials who adopt IoT offer their data more willingly to marketers and 
firms, which makes it easier for marketers to collect data and target customers 
more precisely.’”** Less clear and more relevant is the concept of ‘credulity.’ As 
an example of unfair practice affecting credulous consumers, one could refer to 
the Finnish case??? of a trader who had stated that for each candy bag sold, they 
would plant a tree, despite having already agreed to plant a certain number of 
trees independently of the number of candy bags sold. The Finnish Market Court 
found that this statement took advantage of the credulity of consumers that were 
concerned about the environment. This does not mean that ‘green’ consumers are 
credulous in general, but they are more likely to be vulnerable to certain practices. 

‘Credulity’ is the most flexible of the categories considered by Article 5(3) in 
the context of the protection of vulnerable consumers, but it should be critically 
assessed whether it is flexible enough to counter the negative effects of the Inter- 
net of Personalised Things. 

As observed by the European Commission in its guidance on the directive,”*® 
‘credulity’ covers groups of consumers who may more readily believe specific 
claims. However, these are not groups that can be identified with certainty. The 
term is ‘neutral and circumstantial. . . . Any consumer could qualify as a member 
of this group.’*! Depending on the circumstances, anyone could be credulous, 
even just temporarily and with regards to a single product or practice. A study on 
consumer vulnerability??? found that credulous people are less likely to complain 
when facing problems. Considering that one of the main reasons of the Enforce- 
ment and Modernisation of Consumer Protection Directive was to improve 
enforcement,”*> an interpretation of credulity and vulnerability that is as broad 
as possible would prevent the issue of consumers not reacting to unfair practices, 
thus furthering the aims of the reformed directive. Another argument towards a 
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broad interpretation of credulity and vulnerability is that this is consistent with 
insights from behavioural studies, which EU consumer laws increasingly draw 
on.7*4 These studies?*> confirm that a vulnerable consumer is one who, as a result 
of sociodemographic characteristics, behavioural characteristics, personal situa- 
tion, or market environment: 


(i) Is at higher risk of experiencing negative outcomes in the market; 
(ii) Has limited well-being maximisation capabilities; 
(iii) Struggles to obtain or assimilate information; 
(iv) Is less able to access and select suitable products; or 

(v) Is more susceptible to certain marketing practices. 


Arguably, as a consequences of the aforementioned IoT-generated wealth of 
granular data, improved targeting capabilities, and remote control throughout the 
life cycle of the Thing, consumers are likely to find themselves vulnerable to 
an insidious market environment where it is difficult to obtain and assimilate 
information (the contractual quagmire) and where several IoT traders contend 
the user’s attention, thus reducing the consumers’ capabilities to maximise their 
well-being and choose the most suitable products. A recent study?*° on the dark 
side of the behaviour of IoT traders shed light on a number of exploitative and 
extractive practices where the complexity of the technology is used to spread 
confusion among the consumers. This study mentions the examples of complex 
pricing alternatives of IoT subscriptions and complicated usage rates that make 
comparisons of price and fees among IoT service providers rather arduous. This 
renders well-informed decision-making difficult for consumers; not only the 
young and the elderly are vulnerable, but also the ‘technologically unsavvy are 
particularly susceptible to this type of dark-side behaviour.’**” These are all good 
reasons to widen the scope of vulnerability to tackle the issues on the Internet 
of Personalised Things. The IoT may lead to a more intense application of the 
special regime on unfair commercial practices affecting vulnerable consumers, 
which in practice means that it will be easier for consumers (and consumer organ- 
isations) to prove that the Internet of Personalised Things is unfair. Indeed, by 
virtue of this special regime, the likelihood of the practice distorting a vulnerable 
consumer’s behaviour will be assessed from the perspective of the average IoT 
consumer, who can hardly be described as reasonably well-informed, reasonably 
observant, and circumspect. 
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4.3.1.2 Misleading Actions and Confusing Practices 


Another set of principle-based rules deals with misleading actions. These rules 
are distinct from those that apply to the practices in violation of professional dili- 
gence. As the CJEU pointed out in CHS Tour Services GmbH v Team4 Travel 
GmbH,?** there is no automatic infringement of the requirements of professional 
diligence if a commercial practice is categorised as a misleading action. These 
actions may, however, be also contrary to professional diligence. As an example of 
such a misleading action, one can think of Italy’s injunction?’ against a website 
that invited consumers to purchase drug Kaletra, falsely advertised as ‘the only 
remedy to the Coronavirus (COVID-19).’?4° 

Under Article 6 of the Unfair Commercial Practices Directive, misleading 
actions can be divided into two types: information-related and behaviour-related. 

For an information-related action to be regarded as misleading, it must: 


(i) Likely deceive the average consumer; 
(ii) Likely cause the consumer to make an unwanted transactional decision; 
(iii) Concern certain items of information that are considered ‘material.’ 


The first requirement is that the misleading action must be likely to deceive the 
average consumer.”*! This can depend on the provision of false information or of 
factually correct information that is nonetheless deceitful, for instance, due to its 
overall presentation. As held in Competition and Markets Authority v Care UK 
Health and Social Care Holdings Ltd?” a misleading action does not inherently 
require a dishonest action, as the offence is one of strict liability.47 As an example 
of deceitful false information, Poland’s Office of Competition and Consumer Pro- 
tection’ sanctioned a trader for falsely claiming that its loans to consumers had 
the lowest interest rates on the market. As an example of truthful yet deceitful 
actions, Malta’s Consumer Claims Tribunal** considered as misleading a mobile 
phone operator’s advertisement where the mobile rates were claimed to be 30% 
cheaper than those of the competitors. Indeed, it ambiguously presented the offer 
as it did not make clear that the first minute of phone conversation was not on 
a per-second basis. In an IoT context, e.g. a statement that Echo can be used to 
listen to music for free when in fact a consumer needs to purchase additional 
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subscriptions (e.g. Prime), may be regarded as an action likely to deceive the 
average consumer. 

Second, the misleading action must be likely to cause the consumer to take a 
transactional decision that they would have not taken otherwise.”* This require- 
ment applies also to practices in contravention of professional diligence, mis- 
leading actions, misleading omissions, and aggressive practices. Therefore, the 
same broad concept of ‘transactional decision’ applies here. On the point, national 
courts have followed the CJEU’s approach. E.g. an English court stated in R v 
X Ltd” that concept of transactional decision is such that it may be affected by 
statements made after the transaction has been completed. In that case, the state- 
ment, provided after the installation of a CCTV system, that the system as fitted 
was fit for purpose was considered misleading. Linking back to our case study, if 
a consumer buys a product and, during the time when they could have returned 
it, Alexa convinces them that the product is fit for purpose, such practice may be 
regarded as unfair regardless of the fact that, strictly speaking, it occurred once 
the transactional decision had already been taken. 

Third, the information must regard one of seven items expressly listed by the 
directive.”** These are the existence or nature of the product; its main character- 
istics; the extent of the trader’s commitments; the price; the need for a service, 
part, replacement, or repair; the nature, attributes, and rights of the trader; and the 
consumer’s rights. These items are called ‘material information,’ that is, as noted 
in Office of Fair Trading v Purely Creative Ltd,” the information which is neces- 
sary to enable the average consumer to take an informed transactional decision. 
A key question in the IoT is whether presenting the Thing as provided for free, 
when in fact it is ‘paid for’ using the consumer’s personal data, can be regarded as 
a misleading action. In other words, it can be posited that such an action qualifies 
as a false statement regarding material information, in particular the price. Whilst 
there is disagreement on the point, it can be argued that, in light of the growth 
of the business model having personal data as contractual consideration,”°° the 
notion of price ‘must be interpreted broadly, including non-monetary forms of 
exchanges, such as data.’?°! Whilst this inference appears correct, a better way to 
tackle the practice is to invoke the breach of Article 7 of the directive (‘mislead- 
ing omissions’) and of its blacklist; therefore, we will expand on the matter later 
in the chapter. 

The directive does not limit the notion of misleading action to the provi- 
sion of information. Behaviour-related misleading actions include confusing 
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marketing,” noncompliance with codes of conduct, and the marketing of 
goods as being identical to goods that are marketed in other member states whilst 
they are significantly different.>4 Compared to the misleading actions regard- 
ing false or otherwise deceitful information, these three behaviour-related actions 
have to meet partly different requirements to be found unfair. The likelihood 
to lead to an unwanted transactional decision applies here as well. Conversely, 
unlike the information-related misleading actions, the assessment here will have 
to be conducted in the ‘factual context (of the practice), taking account of all its 
features and circumstances. ’?55 

Confusing marketing is the marketing of products that creates confusion with 
the competitors’ products (e.g. copycat branding).?°° Whilst the use of a sign that 
is similar to an existing mark can qualify as trademark infringement,”°’ if the 
trademark is dissimilar but the more general branding is similar, this could fall 
outside the scope of trademark infringement.” That is when the Unfair Com- 
mercial Practices Directive?® can step in.*°° An example may be the deployment 
of a virtual assistant whose voice resembles Siri and thus may lead consumers to 
trust it.7°! 

Noncompliance with codes of conduct can qualify as unfair only when two 
requirements are met. First, the trader has breached the code’s commitments, 
which are firm and capable to be verified.**? Second, the trader indicated in its 
practice that they were bound by the code.” Let us imagine that a trader adver- 
tises its Things as being secure pursuant to the Code of Practice for Consumer 
IoT Security.2 The code’s first commitment is that Things’ passwords have to be 
unique and not resettable to any universal factory default value. If the trader sells 
Things with default passwords such as ‘admin’ or ‘password,’ then they are com- 
mitting an unfair, misleading action. 
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Finally, the marketing of goods as being identical to goods that are marketed 
in other member states whilst they are significantly different is an addition of the 
Enforcement and Modernisation of Consumer Protection Directive.” Whilst the 
reference to ‘goods’ implies a focus on tangible products, it should be underlined 
that in the IoT tangible goods can be rendered different through a variation of 
their intangible components. Things may embed lower-quality software or pro- 
vide more limited digital contents if compared to Things used in another member 
state. Thus, this directive would complement the Cross-Border Service Portabil- 
ity Regulation. Indeed, whilst the latter does not apply to the lack of portability 
of online content services when they are not paid for,” the former may fill the 
gap and cover also free services. More generally, it is useful to keep in mind that, 
although this particular provision regards goods, the Unfair Commercial Practices 
Directive applies to products. These are defined as ‘any good or service including 
immovable property, digital service and digital content;’*’ therefore, it is fit for 
the IoT as it applies to all those Things that escape the good-service dichotomy. 


4.3.1.3 Misleading Omissions and the Limitations of 
the Communication Medium 


Traders can mislead consumers not only through their actions but also through their 
omissions. An example of misleading omission regards planned obsolescence, that 
is, a common practice in an IoT context.7°* Planned obsolescence refers to the prac- 
tice of designing a product so that it will become obsolete or nonfunctional after a 
certain period of time; it has been observed that obsolescence ‘sits uneasily with 
the current prescriptions of the law.’*°? This practice is not in itself unfair. How- 
ever, the European Commission?” noted that a trader who omits to clearly inform 
about planned obsolescence (e.g. that a software is likely to be discontinued after 
a number of years) may be in breach of the directive’s provision on misleading 
omissions. This could reduce IoT traders’ control over their Things’ life cycle, thus 
partly correcting the power imbalance between them and their consumers. 

Article 7 of the Unfair Commercial Practices Directive considers misleading 
those omissions that: 


(i) Are likely to lead to an unwanted transactional decision; and either 
(11) Omit material information, or 
(iii) Hide it. 
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The first requirement is not problematic as it is the same that has been previ- 
ously analysed with regards to unfair practices in contravention of professional 
diligence and misleading actions. It means that the practice causes or is likely to 
cause the consumer to make a transactional decision that they would have not oth- 
erwise taken.?”! It includes one-off omissions concerning an individual consumer, 
as was the case in UPC.?” 

The second requirement is that the trader omitted ‘material information,’ that is, 
the information that the average consumer needs, according to the context, to take 
an informed transactional decision.?”3 In Office of Fair Trading v Purely Creative 
Ltd,“ Briggs J stated that the ‘question is not whether the omitted information 
would assist, or be relevant, but whether its provision is necessary to enable the 
average consumer to take an informed transactional decision.’ There are four 
types of material information. 

First, the information is ‘material’ depending on the context (‘contextual mate- 
riality’). This is a flexible category that can be better understood considering the 
distinction set forth in Secretary of State for Business, Innovation and Skills v PLT 
Anti-Marketing Ltd.?’° The court of appeals distinguished between inward-facing 
information and publicly accessible information. The former is information about 
a trader’s product that is likely to be known only to the trader — in that case, 
the consumer needs to obtain the information from the trader and its omission is 
likely to qualify as misleading. Not all inward-facing information about a product 
is material; in PLT Anti-Marketing e.g. a trader was not required to disclose to 
consumers its markup or the cost of obtaining the product from a supplier. Con- 
versely, if the information is publicly accessible and the consumer could obtain 
the information by making enquiries in the marketplace (e.g. looking it up online), 
then the information would likely be regarded as immaterial and its omission not 
misleading. 

A second type of material information refers to Annex II to the directive. This 
provides a nonexhaustive list?”’ of EU law instruments that set out obligations to 
provide information that is deemed material for the purposes of the provision on 
misleading omissions. These include the information requirements imposed by 
the Consumer Rights Directive?’ and the e-Commerce Directive.?” 

A third type was introduced by the Enforcement and Modernisation of Con- 
sumer Protection Directive, which provided more stringent requirements for con- 
sumer reviews. When a trader provides access to consumer reviews, information 
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about whether and how the trader ensures that the reviews originate from consum- 
ers who have actually used or purchased the product is material.7°° 


Finally, Article 7(4) provides a list of information items that are material in the 


case of an invitation to purchase, if their ‘materiality’ is not already apparent from 
the context. Limiting ourselves to the items that are more directly relevant from 
an IoT perspective: 


a) 


b) 


d) 


The main characteristics of the product, ‘to an extent appropriate to the 
medium and the product. ?3! More will be said later on about the importance 
of the medium, but suffice it to say now that it is important to distinguish 
between the use of a Thing for e-commerce purposes — Thing as a medium — 
and the purchase of a Thing regardless of the medium — Thing as a product. 
In the former scenario, the physical limitations of the Thing may provide a 
justification for the trader to provide less information regarding the product 
purchased through the Thing. In the latter, conversely, traders will have to 
be careful to provide thorough and clear information to offset the intrinsic 
complexity of the Thing as a product. 

The address and the identity of the trader. This is important in an IoT context 
because we have seen that, as a result of a complex supply chain and of an 
intricate web of legals, it is not easy for the consumer to identify who is the 
trader. 

The price and the manner in which the price is calculated. It can be argue 
that ‘price’ should be interpreted broadly as encompassing nonmonetary 
exchanges (e.g. personal data as consideration). If a trader omits to inform 
that the price of the service or product is paid for by the consumer’s data, 
the practice may count as a misleading omission. This will depend not only 
on the courts’ readiness to consider personal data as a currency but also on 
their assessment of whether the consumer needs such information to take an 
informed transactional decision and whether its omission would be likely to 
lead to an unwanted transactional decision. This will have to be seen on a 
case-by-case basis, but arguably in an IoT context that increasingly relies on 
data monetisation, this information should be regarded as material. 

The existence of a right of withdrawal, when applicable. This has been 
strengthened by the Enforcement and Modernisation of Consumer Protection 
Directive. Indeed, member states have been empowered to adopt stronger 
tules on the right of withdrawal to better protect their consumers in the con- 
text of unsolicited visits by a trader to a consumer’s home (doorstep selling) 
and commercial excursions.”* Since these practices may qualify as aggres- 
sive, they will be dealt with in the next section. Suffice it to say, however, that 
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the concept of home should include the smart home and IoT traders should 
therefore be careful to avoid unsolicited virtual visits. 

e) Whether the third party offering the products on an online marketplace is a 
trader or not. This is an important innovation of the Enforcement and Mod- 
ernisation of Consumer Protection Directive, and it can be useful in an IoT 
context. IoT traders can allow third parties to integrate their apps into the 
former’s Things. Most of these third parties are likely to qualify as traders. In 
any event the IoT trader will have an obligation to inform about their quality 
as traders (or as consumers); otherwise, they are likely to be in breach of this 
provision on misleading omissions. 


As ruled in Deroo-Blanquart,*™ the aforementioned is an ‘exhaustive list of the 
material information that must be included in an invitation to purchase.’®> How- 
ever, the fact that a trader provides, in an invitation to purchase, all the information 
listed above does not preclude that invitation from being regarded as a misleading 
action or a misleading omission of the ‘hiding’ sort, to which we now turn. 

The third requirement for the omission to be found misleading is that infor- 
mation is hidden, as opposed to being altogether omitted. This requirement is 
alternative to the second one. It rarely happens that a trader simply omits material 
information that is mandated to allow the consumer to make informed transac- 
tional decisions. Positively, therefore, the directive?®® addresses the more usual 
scenario where the information is hidden or provided in an unclear, unintelligible, 
ambiguous, or untimely manner. This comes with the proviso of the likelihood to 
lead to an unwanted transactional decision. This provision is of utmost importance 
to counter the contractual quagmire in which IoT consumers find themselves. If 
IoT traders bury the mandated information in legals that are long, difficult to 
find, or difficult to understand, this would be likely to count as a misleading 
omission of this type. The directive expressly mentions a particular category of 
‘hiding’ practice, that is, the failure to identify the commercial intent of the com- 
mercial practice, if this intent is not already apparent from the context.78” The 
European Commission’s official guidance deals with the issue of whether trad- 
ers who provide ‘free’ services where the consumers’ personal data is monetised 
should inform consumers — and, correspondingly, whether omitting this informa- 
tion would be a misleading omission. Hiding the purpose of data processing is, 
in principle, in breach of the GDPR,”** but a trader’s violation of data protection 
laws does not necessarily mean that the practice is also in breach of the Unfair 
Commercial Practices Directive.*®? However, data protection violations ‘should 
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be considered when assessing the overall unfairness of commercial practices,’?”° 


and if the trader does not inform a consumer that the data that is required to access 
the service will be used for commercial purposes, this may qualify as a misleading 
omission of material information.?*! 

Along the same line as confusing marketing and other non-information-related 
misleading actions, the assessment of whether omissions are misleading has to 
look at the factual context of the practice, taking account of all its features and 
circumstances. However, a specific requirement is that courts that assess the 
unfairness of misleading omissions need also consider the limitations of the com- 
munication medium.” This is of great importance in an IoT context, given the 
aforementioned limitations in terms of size of interfaces, lack of displays, etc. 
The directive?” clarifies that, where the medium used to communicate the prac- 
tice imposes limitations of space or time, these limitations and any measures taken 
by the trader to make the information available to consumers by other means shall 
be considered in deciding whether information has been omitted. This means that, 
when a Thing is used as a medium to communicate commercial practices, its 
limitations (e.g. small display) provide a justification for the IoT trader not to 
provide certain information through the Thing itself. The display of a biometric 
wristband may not provide the required information but simply tell consumers 
where they can find such information (e.g. the terms of service available on the 
manufacturer’s website). Unlike the provision on information to be regarded as 
material in an invitation to purchase,?™ the directive does not expressly provide 
a general obligation for courts to consider both the limitations of the ‘Thing as a 
medium’ and the complexity of the ‘Thing as a product.’ However, the CJEU in 
Deroo-Blanquart stated that it is up to national courts to determine if there has 
been a misleading omission, taking into account also ‘the nature and characteris- 
tics of the product.’*® Therefore, also the complexity of the ‘Thing as a product’ 
can be taken into account to decide whether there has been a misleading omission 
of material information. While the use of a Thing as an IoT commerce medium 
may provide a justification for certain omissions, when the Thing is (also) the 
object of the transaction, more stringent information duties will apply. Addition- 
ally, unfair trading laws should not be considered in isolation. A Thing’s display 
showing the website where information can be found, or an audio notice to the 
same effect, may comply with the Unfair Commercial Practices Directive but not 
necessarily with other regimes. Since this directive has a ‘safety net’ character, 
should other instruments provide clear duties to inform regardless of the medium, 
these instruments will prevail. For example, under the Consumer Rights Direc- 
tive, even when the medium has limitations of space, the trader has to provide 
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some key information before the conclusion of the contract (e.g. the total price).?°° 
Its omission will be in breach of the latter directive, though it will not count as an 
unfair practice. This is an IoT-friendly provision that considers the physical limi- 
tations and the complexity of Things when assessing misleading omissions. Cur- 
rently, under Deroo-Blanquart,”*’ courts are expressly prevented from taking into 
account the constraints of certain media when assessing misleading actions. De 
lege ferenda, therefore, the duty to consider the limitations of Things as medium 
and Things as product should be extended also to practices in contravention of 
professional diligence, misleading actions, as well as the fourth type of unfair 
practices, that is, aggressive practices, to which the next section is dedicated. 


4.3.1.4 Aggressive Commercial Practices: IoT Traders’ Undue Influence 
Over Consumers’ Freedom of Choice 


Aggressive commercial practices are not limited to the use of physical threats 
and intimidation to force consumers to enter into a transaction. For example, in 
Latvia, Air Baltic’s use of preticked boxes to have the consumers inadvertently 
request ancillary services was considered aggressive.?** In turn, in Office of Fair 
Trading v Ashbourne Management Services Ltd,?°? an English court held that 
threatening to report a gym’s consumer to a credit reference agency could be 
regarded as aggressive. These practices can result in high fines, as was the case 
with Italy’s Antitrust Authority handing Ryanair an EUR550,000 fine for the high 
costs of the phone calls to its customer centre. In some countries, an aggres- 
sive practice may lead to a prison sentence. For example, in R v Montague,*"! 
the defendant was sentenced to 42 months’ imprisonment after he accompanied 
an elderly woman to her bank, where she withdrew a princely sum for work in 
respect of which the trader had already been paid. The Enforcement and Moderni- 
sation of Consumer Protection Directive has strengthened the protection against 
aggressive practices because it has allowed member states to introduce more 
stringent rules about unsolicited visits by a trader to a consumer’s home (doorstep 
selling) and excursions organised by a trader with the aim or effect of promoting 
or selling products to consumers (commercial excursions).*° This is important 
from this book’s perspective because the argument can be put forward that these 
unsolicited visits to a consumer’s home do not have to be physical: also, virtual 
visits to the consumer’s smart home may trigger the provisions on aggressive 
practices. Member states cannot altogether ban such sales channels, but they can 
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restrict them, e.g. by defining the time of day when visits to consumers’ homes — 
including smart homes — without their express request are not allowed.*™ This is 
in line with the case law of the ECtHR that has interpreted the concept of ‘home’ 
broadly to include inter alia mobile abodes.304 

Under Article 8 of the Unfair Commercial Practices Directive, a practice is 
aggressive if it meets two requirements: 


i It significantly impairs or is likely to significantly impair the average con- 
sumer’s freedom of choice or conduct with regard to the product by means of 
harassment, coercion, or undue influence; and 

ii As a result of such impairment, it causes the average consumer or is likely to 
cause them to make an unwanted transactional decision. 


In assessing whether a practice occurring before, during, or after* a transac- 
tional decision is aggressive, courts will have to consider its factual context, tak- 
ing account of all its features and circumstances.*°° These could include, e.g. the 
physical limitations of the Thing and the power held by the IoT trader as a con- 
sequence of the granular data regarding each consumer. It has been noted that 
manipulation will rarely take the form of incorrect or incomplete information; 
consumers are ‘put in a situation where they are more likely to agree to buy... 
due to their own vulnerabilities.’>°’ The exploitation of the vulnerabilities is more 
likely to take an aggressive form. This regime has been successfully used to coun- 
ter ‘business models whose very operating premise relies upon taking advantage 
of the reduced ability of the consumers . . . to protect their own interests.’>°° As 
such, it lends itself to be used in the IoT, where traders know of and can exploit 
consumers’ vulnerabilities. 

For the purposes of this book, it should be explored whether IoT-enabled 
manipulation can qualify as harassment, coercion, or undue influence. There is 
no definition of ‘harassment’ or specific guidance, but the UK Competition and 
Markets Authority provides the example of threatening language and behaviour 
in an attempt to intimidate consumers into accepting the services or agreeing the 
terms of service.3 Harassment is primarily concerned ‘with the invasion of an 
individual’s private space.’!° Using Things that are present in the most private 
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spaces around the consumer (smart home, wearables, etc.) to constantly serve 
advertisements and invitation to purchase based on the consumers’ vulnerabilities 
may be regarded as harassing. Harassment encompasses both physical and non- 
physical (including psychological) pressure; this applies also to coercion, that is, 
the second method to impair consumer freedom.*"! 

Coercion is more focused on the use of physical force, as suggested by the 
wording of Article 8 (‘coercion, including the use of physical force’). Although 
coercion is not defined, the Competition and Markets Authority provides the 
example of a trader starting to work without the explicit permission of the con- 
sumer; indeed, ‘consumers may be discouraged from shopping around, or from 
deciding not to have the work done.’?!? From this book’s perspective, it has 
been shown that IoT traders seek consent through a mountain of unreadable and 
scattered legals: providing services on the basis of such weak consent may be 
regarded as coercion, and therefore as an aggressive practice, provided that the 
other requirements are met. 

Harassment and coercion are the most blatant forms of aggressive practices 
that attempt to pressurise the consumer into a transactional decision. Undue influ- 
ence, conversely, addresses more subtle ways to unduly influence consumers;?!3 
as such, it better lends itself to be used to counter the sophisticated practices used 
in the Internet of Personalised Things. It is not by chance that the study*!* com- 
missioned by the European Commission in view of the adoption of the Unfair 
Commercial Practices Directive exemplified undue influence by referring to 
emotional advertising, that is, advertising that plays on emotions or fears and the 
exploitation of trust in third parties. Things can report back to the manufacturers 
about the emotions and feelings of the consumer, thus providing IoT traders with 
powerful weapons. However, the European Commission?!> pointed out that if the 
information gathered through profiling is used to exert undue influence (e.g. a 
trader knows that the consumer is running out of time to buy a flight ticket and 
falsely claims that only a few tickets are left available), then these practices may 
be regarded as aggressive. 

‘Undue influence’ is the only impairing technique that is expressly defined in 
the directive,>!® possibly because it is the concept where common law and civil 
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law jurisdictions most diverge.*'’ There is exercise of undue influence when the 
trader exploits a position of power vis-a-vis the consumer so as to apply pressure 
in a way which significantly limits the ability to make an informed decision. The 
imbalance of power can have economic or intellectual causes and derive from 
social ties that go beyond the professional one.?!* The power to put pressure on the 
consumer can be derived from the fact that the latter depends on the cooperation 
of the trader or on the fact that the trader has psychological tools to convince the 
consumer to make a transaction.+!° To better understand when the pressure can be 
deemed to significantly limit the ability to make an informed decision, one can 
refer to the guidance recently provided by the CJEU in Orange Polska.*” In that 
case, the deciding factor was the circumstance that the consumer had to take the 
transactional decision in the presence of the courier who delivered the standard- 
form contract, without being able ‘to take cognisance of the content of that contract 
while the courier (was) present.’>?! This was a form of undue influence that would 
make the ‘consumer feel uncomfortable or confuse (their) thinking concerning 
the transactional decision to be taken.’*”? The fact that the provision on aggressive 
practices tackles more subtle psychological techniques that confused consumers 
makes this regime likely to be applied to the Internet of Personalised Things. 
This is corroborated by Article 9 of the directive, which provides courts with the 
criteria to consider when determining if these forms of impairment took place.3? 
The main criterion is to look at the timing, location, nature, and persistence of the 
practice.3™ In light of this, to exploit IoT data about preferences, biases, and vul- 
nerabilities to target consumers when, where, and in the way that the trader knows 
to be more likely to lead to a transactional decision may qualify as aggressive. For 
example, by combining geolocation data, calendar entries, browsing history, and 
face recognition data, an IoT trader may know that the consumer is sad because 
they have been to a funeral and that when they are sad they binge on YouTube 
videos of grumpy cats. Accordingly, this trader may target this consumer when 
they are back from the funeral and have a sad facial expression, by showing them 
grumpy-cat-themed ‘advertorials’ (portmanteau of advertisement and editorial) 
that convince them to purchase a certain film or a medicine. 

In assessing undue influence, courts need also to consider ‘any onerous or dis- 
proportionate non-contractual barriers imposed by the trader where a consumer 
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wishes to exercise rights under the contract, including rights to . . . switch to 
another product or another trader.’*> It is not sufficient to give the consumer some 
rights under the contract if factually they cannot exercise them, as was the case 
with a Bulgarian trader that made it burdensome to terminate the contract, which 
led to unwanted renewals of the service.>”° Therefore, linking back to the issue of 
the ‘Internet of Silos’ and the lack of interoperability in proprietary IoT systems, 
it can be said that the factual lock-in that these types of barriers create can be 
countered by invoking the Unfair Commercial Practices Directive’s provisions on 
aggressive practices. This is not to say that all advertising and profiling leads to 
unfair consumer manipulation. This will depend on a number of factors, including 
‘the persuasive potential of the personalised message and the extent to which the 
practice reduces the autonomous decision-making process.’**” However, it is fair 
to say that the IoT furthers the power imbalance that characterises most business- 
to-consumer relationships and creates new opportunities to exploit it to limit con- 
sumer freedom and lead to unwanted transactional decisions. 

The aforementioned principle-based rules on aggressive practices may oper- 
ate as a counterweight as they can be invoked to rebalance the consumer-to- 
business relationship, thus rebuilding the trust in the IoT. The main weakness 
of this strategy is that it relies on a case-by-case assessment of unfairness and 
on the requirement of the likelihood to lead to unwanted transactional decision. 
These drawbacks can be overcome by relying on the so-called blacklist, which is 
the focus of the next section. 


4.3.1.5 Commercial Practices That Are Unfair in All Circumstances: 
The Blacklist 


As said above, the benefits of the Unfair Commercial Practices Directive are con- 
nected to its horizontal ‘safety net’ character and the joint operation of principle- 
based rules (e.g. misleading omissions) and a ‘blacklist’ of specific prohibitions 
of certain unfair practices. This blacklist of practices that are considered unfair in 
all circumstances is particularly useful to tackle the negative effects of the Internet 
of Personalised Things. The meaning of ‘unfair in all circumstances’ was clari- 
fied in European Commission v Belgium,” where the CJEU held that blacklisted 
practices are altogether banned: national authorities do not have to assess their 
unfairness on a case-by-case basis using criteria set forth by the directive. Annex I 
to the directive lists them, and as stated in Plus Warenhandelsgesellschaft,**° this 
list is exhaustive. The blacklist provides national authorities with an effective tool 
to tackle common practices, such as targeting of children, hidden advertising, 
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and fake free offers. Originally, there were 31 practices; they are now 35. The 
Enforcement and Modernisation of Consumer Protection Directive added ranking 
manipulation, resale of tickets acquired by automated means in circumvention 
of limits on the number of tickets that a person can buy, not checking that the 
consumer reviews originate from consumers who used or purchased the product, 
and false or misleading consumer reviews (e.g. social influencers posting content 
where they commend a certain brand without making it clear that they are paid 
to promote that brand).**! The blacklist is useful in the IoT context because it 
provides for a stricter regime (compared to the principle-based rule under Articles 
5-9) that can better protect vulnerable consumers. And indeed, as noted by the 
European Commission, this list epitomises the directive’s endeavour to protect 
vulnerable consumers ‘from the risks deriving from the effects of the economic 
crisis and the complexity of digital markets.’>>? 

Some manipulative practices that are common in the Internet of Personalised 
Things are well represented in the blacklist. A first example is the business model, 
where services are provided in exchange for personal data. It has already been 
shown that they might qualify as misleading actions or omissions, but the applica- 
tion of those principle-based rules has its shortcomings. In particular, the require- 
ment to prove that the practice led to an unwanted transactional decision is not 
easily made out. It will be onerous for the consumer to prove they would have not 
taken the decision if they knew their data would be commercialised. The black- 
listed practices are banned as such, and therefore consumers do not need to prove 
anything apart from the fact that the practice took place. The opaque monetisa- 
tion of personal data in this popular business model could be attacked through a 
combined reading of Nos 20 and 22 of Annex I. These provisions prevent traders 
from presenting their services as free when they are not??? and from creating the 
impression that the trader is not acting for commercial purposes.**4 This applies 
also to IoT traders that do not inform consumers about the commercialisation of 
their data, regardless of any assessment of the unfairness of the practice in the 
individual case.**° It has been convincingly argued?! that these provisions are fit 
for IoT-enabled profiling and targeting also because they are illegal, regardless of 
the effect on the consumer’s choice, a decision to perform a transaction or not, and 
the existence of a monetary price. Moreover, the first report on the application of 


331 See CAP and CMA, An Influencers Guide to Making Clear That Ads Are Ads (ASA 2018); 
Rossana Ducato, ‘One Hashtag to Rule Them All? Mandated Disclosures and Design Duties in 
Influencer Marketing Practices’ in Sofia Ranchordas and Catalina Goanta (eds), The Regulation 
of Social Media Influencers (Edward Elgar 2020) 232. 

332 European Commission, ‘Communication on the Application of the Unfair Commercial Practices 
Directive Achieving a High Level of Consumer Protection Building Trust in the Internal Market’ 
(n 180) [2.1]. Emphasis added. 

333 Unfair Commercial Practices Directive, annex I, no 20. 

334 Unfair Commercial Practices Directive, annex I, no 22. 

335 See European Commission, ‘2016 Guidance on Unfair Commercial Practices’ (n 234). 

336 Helberger (n 156). 


228 The Internet of Vulnerabilities 


the directive**’ presented evidence that these provisions deal with practices ‘target- 


ing mainly vulnerable consumers.’**® The report referred to the example of web- 
sites offering mobile phone ringtones that were presented as ‘free’ but that would, 
in reality, trigger a paid-for subscription. A year later, Consumer Protection Coop- 
eration, the network of consumer protection authorities in the EEA, relied on these 
provisions to have traders change their practices, whereby games were presented 
as free but it was not possible to play without ‘in-app’ purchases.**° Arguably, these 
provisions are fit also for more subtle practices that, powered by the IoT, exploit 
consumer vulnerabilities in novel ways to monetise their data. 

Another practice that IoT traders can put in place when they target consumers 
and that can ultimately manipulate them is the use of always-on and ubiquitous 
Things to constantly offer services or products for purchase or paid-for access. 
Echo Show may show you a video about a new gadget that you never thought 
you may want to purchase, Echo Dot may reiterate the message in audio form, 
the advert may follow you in the bathroom, where you have an Echo Look, and it 
could be finally repeated when you go to bed by Echo Spot. These types of prac- 
tices should be considered aggressive and unfair in all circumstances under No 
26 of Annex I, which tackles “persistent and unwanted solicitations by . . . remote 
media.’*4° The threshold of what is ‘persistent’ is low. Austria’s Supreme Court 
e.g. excluded from the definition a single letter to a person.*4! This provision is 
complemented by No 29 of Annex I on inertia selling, namely, the unsolicited 
supply of products accompanied by the demand of immediate or deferred pay- 
ment.? As pointed out by the CJEU in Toplofikatsia,** the absence of a response 
from the consumer following an unsolicited supply does not constitute consent.>4 
This practice falls foul also of the Consumer Rights Directive, which exempts the 
consumer targeted by these type of practices from providing any consideration.** 
The rationale is that traders should not be allowed to impose ‘a contractual rela- 
tionship on a consumer to which (they have) not freely consented.’**° Therefore, 
in addition to any injunction and compensation granted under the Unfair Com- 
mercial Practices Directive, consumers will have the right not to pay for unso- 
licited products. Additionally, if the practice takes the form of unsolicited direct 
marketing by means of automatic calling machines, fax, or email, they will be 
illegal if not previously consented to, regardless of whether or not they are per- 
sistent. This is because the e-Privacy Directive provides detailed rules applicable 
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to these scenarios;**’ they will prevail on the Unfair Commercial Practices Direc- 
tive, given the latter’s safety-net character. The blacklisted practices, therefore, 
will be particularly useful in the context of printed marketing and, more impor- 
tantly, unsolicited communications via unconventional media, which includes 
IoT-mediated communications. 


4.3.2 The Limitations and the Potential of the Unfair Commercial 
Practices to Counter the Internet of Personalised Things 


Two factors would appear to militate against the use of the Unfair Commercial 
Practices Directive to counter the negative effects of the Internet of Personalised 
Things. First, this directive is seen as focusing chiefly, if not exclusively, on the 
economic interests of the consumers.*** For example, in Wamo** the CJEU held 
that national laws that prohibit price reductions during presales periods are not 
compatible with the directive insofar as their goal is to protect the consumers’ eco- 
nomic interests.*°° Correspondingly, in Pelckmans,*>' national laws that prevent 
traders from opening their shop seven days a week and require them to choose a 
weekly closing day were found to be in line with the directive as long as they did 
not pursue objectives related to consumer protection.**? An example of an objec- 
tive falling outside the scope of this directive is the regulation of relations between 
competitors, as was the case in Jnno.*? The European Commission observed that 
the directive does not cover national rules intended to protect ‘interests which are 
not of an economic nature,’*>* such as human dignity, preventing sexual, racial, 
and religious discrimination, and antisocial behaviour. Second, it has been noted 
that this directive may not be fit for loT-powered consumer manipulation because, 
even though it provides some room to consider broader societal implications of 
unfair marketing practices, ‘societal interests are primarily viewed through the 
lens of a consumer who is about to take an economic transaction. 355 This argu- 
ment is based on the fact that, usually, a practice can be regarded as unfair if it is 
likely to cause the consumer to take a transactional decision that they would not 
have taken otherwise.>°° 

The aforementioned criticisms about the fitness of the Unfair Commercial 
Practices Directive to deal with consumer manipulation are not without merit, but 
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they are not insurmountable. Four considerations can be made about the first criti- 
cism; they revolve around the suitability of the directive to protect noneconomic 
interests against manipulation. 

First, there is not a clear divide between economic and noneconomic interests. 
This can be seen in the Mediaprint case,*°’ when the CJEU held that the direc- 
tive precludes a general national ban on sales with bonuses designed to achieve 
consumer protection as well as other noneconomic interests; in that case, the law 
also pursued the maintenance of pluralism of the press in Austria. Similarly, in 
Köck’! it was found that national laws allowing clearance sales to be announced 
only if authorised by the competent district administrative authority fall within the 
scope of the directive despite being aimed at protecting both consumers and com- 
petitors. It should also be noted that the directive considers unfair the omission 
of information mandated not only by consumer laws but also by laws protecting 
noneconomic interests, such as the environment and health.3°? 

Second, it is not by chance that one of the main cases of unfair practices 
regards a form of manipulation with a noneconomic impact. The reference is to 
the ‘Dieselgate,’ when Volkswagen installed ‘defeat devices’ in their diesel cars 
to manipulate emission test results. Over 11 million consumers were misled 
by untruthful claims about the environmental performance of the cars. The Ital- 
ian and the Dutch antitrust authorities issued fines for a total of EUR5.5M to the 
manufacturer for breaching the Unfair Commercial Practices Directive.**! 

Third, when the European Commission in 2016 updated its 2009 guidance? 
on the directive, it did so also to incorporate the key principles developed by the 
multistakeholder group on false claims about products’ environmental creden- 
tials.*°? The directive can be used to counter practices, such as ‘greenwashing,’ 
that can affect consumers well beyond their economic interests, as exemplified 
by the Romanian actions against providers of cleaning products and services that 
were unduly advertised as ecological.* 
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Fourth, the impact assessment of the Enforcement and Modernisation of Con- 
sumer Protection Directive of unfair trading law underlined that this regime brings 
about broader societal benefits. It is no coincidence that the European Commission 
links the societal impact of the reform to the issue of tackling consumer vulnerability. 
Traders’ compliance with the directive improves the situation of vulnerable consum- 
ers because they are more likely than average to be victims of unfair commercial 
practices.*® However, this is not just an economic vulnerability. Explicitly building 
on behavioural insight,>© the Commission underlines that consumer vulnerability 
patterns are ‘complex (multi-dimensional), have multiple drivers and are highly 
context-dependent. It is not possible to strictly associate consumer vulnerability with 
specific groups or socio-demographic characteristics.’>°’ For these reasons, the direc- 
tive’s focus on the consumer’s economic interest does not prevent consumers from 
invoking this regime to counter the negative effects of loT-enhanced personalisation. 

The second criticisms about the fitness of the Unfair Commercial Practices 
Directive to deal with consumer manipulation*® revolves around the observation 
that the directive would view societal interests exclusively through the lens of a 
consumer who is about to take a transaction and, therefore, would be unsuitable 
for the forms of consumer manipulation that are not directly linked to a transac- 
tion. Three counterarguments can be put forward. 

First, as noted before, ‘transaction’ has been interpreted in a broad way, e.g. 
by encompassing the decision not to enter into a transaction or exercise a right 
and also those decisions that are not transactional but are directly related to the 
transactional decision.*”° Therefore, for example, designing a virtual assistant to 
be ‘always on’ and to target the consumer with frequent ads could fall within the 
scope of the directive because it would be likely to affect the decision to enter or 
not the online shop. 

Second, consumers do not have to prove that the loT-enabled manipulation led to 
a transactional decision. Indeed, the requirement is not subjective — the question that 
courts need to answer is not whether the claimant took an unwanted transactional 
decision. The requirement is objective and abstract — given the nature of the practice 
and of the product, would the hypothetical average consumer be likely to make a 
transactional decision? As IoT consumers are arguably re-engineered to become 
impulsive, or even compulsive, purchasers,>”! and since we have underlined their 
increased vulnerability, it would seem that the requirement of the likelihood to lead 
to an unwanted decision would be easily made out in most IoT scenarios. 
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Third, we have seen that the directive’s Annex I provides a blacklist of prac- 
tices that ‘shall in all circumstances be regarded as unfair,’>”” regardless of their 
likelihood to lead to an unwanted transactional decision. This means that the 35 
practices listed in Annex I can be invoked by IoT consumers who are victims 
of manipulation even when the practice is not likely to lead to any transactional 
decision. For example, as Things by definition embed digital content, they lend 
themselves to being a medium for the surreptitious use of editorial content in the 
media to promote a product. Some particularly savvy consumers may be unlikely 
to be misled by such ‘advertorials’ and would therefore be unlikely to be able to 
prove that they made a transactional decision that they would have not otherwise 
taken. Nonetheless, the directive outlaws all blacklisted practices, and the ban is 
not accompanied by a proviso of likelihood of transactional decision. Therefore, 
Annex I is likely to be particularly useful to counter those manipulative practices 
that are not connected to transactions. 

In conclusion, the Unfair Commercial Practices Directives, despite its limita- 
tions, can be invoked to resist against the Internet of Personalised Things. The 
blacklisted practices and the provision on vulnerable consumers may be of great 
help. This is mainly due to special provisions that protect credulous consumers, 
the provisions that address power imbalance, and those that tackle unfairness 
even when it is not linked to a transaction. However, as noted by the European 
Commission,*”> much remains to be done to strengthen the protection of vulner- 
able consumers. Especially in an IoT world, these are not just the elderly and 
the youth; also, other categories of citizens can ‘find themselves in a situation 
of weakness.’?”4 As outlined in the European Consumer Agenda,*”> it must be 
ensured that vulnerable consumers are protected from the risks deriving from the 
increased complexity of digital markets and from the difficulty many may encoun- 
ter in mastering the digital environment. This is urgent because the IoT can act as 
a powerful tool to manipulate consumers thanks to the power imbalance that is 
furthered by the trader’s remote control over the Thing throughout its life cycle, 
the increased quantity of data generated by Things that are ‘always on’, the better 
quality of this data produced by cross-device tracking and profiling, the increased 
opportunities to target consumers anywhere (ubiquitous computing), and bespoke 
delivery of ads, political messages, and other potentially manipulative content thanks 
to technologies such as emotion recognition. We have reached the point that 
predictive analytics, opaque algorithms, and sophisticated forms of persuasion 
have turned the normally ‘average’ consumer into a vulnerable one.*”° Therefore, 
unfair trading laws should be applied in a behaviourally savvy way, which means 
also interpreting vulnerability as inclusive of JoT-induced manipulability. 
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It has been opined that no changes in the law would be needed as long as 
governments promote digital literacy programs in schools discussing how the 
IoT works and how personalisation can lead to manipulation. However, aware- 
ness raising is hindered by the ‘real disincentive, for service providers to reveal 
details of these practices.” In A New Deal for Consumers,” communication 
that presented the reform instantiated by the Enforcement and Modernisation 
of Consumer Protection Directive and the Representative Actions Directive, the 
European Commission clarified that the IoT and mobile e-commerce are major 
challenges for which consumer policy needs to prepare, as they ‘can make con- 
sumers vulnerable in different ways.’>” De lege ferenda, building on the model 
of the blacklist in Annex I to the directive, amendments should be introduced 
to tackle unfair practices affecting consumers regardless of the likelihood of 
unwanted transactional decision and shifting the focus from the consumer’s eco- 
nomic interests to the broader societal impact of unfairness in the Internet of 
Personalised Things. 


4.4 Interim Conclusion 


This chapter considered whether two consumer laws that look beyond the 
contract — the Product Liability Directive and the Unfair Commercial Practices 
Directive — can address techno-human vulnerability by tackling defective Things 
and the Internet of Personalised Things. 

The new concept of product as an amalgam of hardware, software, service, 
and data may lead to more inclusive interpretations of the scope of the Prod- 
uct Liability Directive, which may in turn see the revival of this oft-forgotten 
legal regime. De lege ferenda, it would be important to redefine the concept of 
product to expressly include software — regardless of whether it is embedded 
in a tangible medium — as well as service and data. Otherwise, the prospect of 
the harm coming from defective Things may reduce consumer trust in the IoT, 
which may not in turn unleash its potential. The review of the directive is ongo- 
ing, and hopefully it will reflect the overcoming of those binaries that the IoT 
is challenging, such as product-service, hardware-software, and cybersecurity- 
security. 

The IoT provides enhanced means to manipulate consumers and create new 
needs, expectations, and beliefs. Thus, it can be regarded as a powerful capitalistic 
device. Indeed, capitalism requires the manipulation of workers and the creation 
in them of new needs. This is because it is aimed at the maximisation of profit, 
not at the satisfaction of existing needs.**° Capitalistic growth in productivity 
and division of labour produces not only wealth but also new needs. It produces 
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selfish needs that are a manifestation of alienation.**' As Marx puts it in his Eco- 


nomic and Philosophic Manuscripts:>*? 


Under private property . . . every person speculates on creating a new need in 
another, so as to drive him to a fresh sacrifice, to place him in a new depen- 
dence, and to seduce him into a new mode of gratification . . . The less you 
are, the less you express your life, the more you have, the greater is your 
alienated life and the greater is the saving of your alienated being. ** 


It has been convincingly argued that Marx ‘actually discovered the problem of 
“manipulated needs” and indeed of the “manipulation of needs.”’?** Capitalism 
manipulates needs in that it creates consumption needs which silence those deeper 
needs that shape the human personality and hinder the valorisation of capital, 
e.g. the need for free time. Free time and authentic needs*®° are appropriated and 
manipulated by IoT traders — ‘smartness’ becomes the ultimate neoliberal tool 
to make us ‘dumb.”*** It is no accident that vulnerability has become a key com- 
mon trait that Things and humans share. The Unfair Commercial Practices Direc- 
tive can be invoked to counter the Internet of Personalised Things. However, it 
should not come as a surprise that, being a neoliberal instrument focused on the 
economic dimension of the consumer and on the internal market, its response to 
IoT-enhanced consumer manipulation is not entirely satisfactory. It is starting to 
emerge the feeling that in the age of cyborg consumers, the ‘smart’ internet is ‘a 
space whose organisation does not require lawyers since it does not need any laws 
different from the de facto power of the smartest.’**’ If the law is supplanted by 
engineering and by self-programming Things, one can doubt that we can still do 
something to force our values upon the capitalist project. As the new extractive 
practises of the IoT are mostly data-led, it becomes necessary to turn our gaze to 
data protection — or what is left of it — in the ‘Internet of Loos.’ 
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5 The Internet of Loos, the General 
Data Protection Regulation, 
and Digital Dispossession Under 
Surveillance Capitalism 


[T]he only necessary wage rate is that providing for the subsistence of the worker 
for the duration of his work and as much more as is necessary for him to support a 
family and for the race of labourers not to die out. . . . The demand for men neces- 
sarily governs the production of men, as of every other commodity. 

Marx, Economic and Philosophic Manuscripts of 1844 (1) 


5.1 Introduction: The Erosion of Privacy and Data Protection 
in the Global Private-Public Surveillance Network 


The IoT constitutes an unprecedented challenge to privacy and data protection.! 
Despite a growing body of literature, many aspects of the relationship between 
IoT, privacy, and data protection require further exploration.* Whereas privacy 
and data protection are distinct concepts and deserve separate attention,’ for the 
sake of brevity I will merely touch upon the former in this introduction, while the 
chapter will focus on the latter. 

The IoT ‘could undermine such core values as privacy”* as it is progressively 
eroding the area of what can be regarded as private. Traditionally, the home and 
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the body were the most sacred of private spaces.° This assumption may have to 
be revisited as smart home and IoT health are becoming commonplace.® The IoT 
risks becoming a global private-public surveillance network. To exemplify this, 
one need only think that since Amazon acquired smart video doorbell Ring, it 
brokered nearly 2,000 partnerships with local law enforcement agencies, who 
‘can request recorded video content from Ring users without a warrant.’’ The IoT 
is normalising the idea that ubiquitous cameras, microphones, and sensors track 
citizens’* behaviour and transform it into structured data flows that are sent back 
to our Things’ manufacturers. This is perhaps best illustrated by Amazon’s Echo 
Spot and Echo Look — respectively an alarm clock and a style assistant —which are 
equipped with cameras and are designed to be used in the bedroom and even in 
the bathroom, hence the ‘Internet of Loos.’ As the ability to be alone with oneself 
is pivotal to human flourishing, the IoT — with its erosion of the private/public 
boundaries — launches a most concerning attack on the self. 

Alongside being a threat to privacy, the IoT challenges the right to data protec- 
tion. Indeed, the focus of this chapter will be to critically assess whether the IoT is 
intrinsically inconsistent with the GDPR or whether the most advanced European 
data protection law can tackle the emerging issues in the IoT. After an introduction 
to the GDPR, this chapter will present the main data protection issues in the IoT. 
It will then zoom in on one of them that is usually overlooked: ‘digital disposses- 
sion.’ This refers to IoT companies’ (ab)use of intellectual property rights (espe- 
cially trade secrets) to appropriate citizens’ data and prevent them from exercising 
their data subject rights, including the right(s) of access. Digital dispossession 
is part of a wider context that has seen the shift from the knowledge economy to 
the data economy.!° This is leading to the private appropriation of both the IoT’s 
infrastructure and data.'' Digital dispossession will be analysed as a tenet of the 
theory of surveillance capitalism.'? To understand what practically happens to IoT 
users’ data, the chapter will move on to analyse Echo’s data practices by means of a 
subject access request, interactions with Amazon’s customer support staff, and text 
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analysis of the relevant privacy policy. This evidence base will be used to carry out 
a fitness check, namely to explore whether the rights of access, to portability, to be 
informed, and not to be subject to solely automated decisions can be successfully 
invoked to counter IoT companies’ digital dispossession, or whether trade secrets 
may give these companies a weapon to effectively nullify GDPR rights. 

While some features of the IoT render GDPR compliance difficult (e.g. the ten- 
sion between ‘repurposing’? and the principle of purpose limitation), I will argue 
that there is no intrinsic trade-off between the IoT in its technological dimension 
and the GDPR; rather, the problems stem from the IoT companies’ exploitative 
and proprietary business models centred on opaque data practices whose epitome 
is digital dispossession. Against this backdrop, this chapter will answer the fol- 
lowing subquestion: how does the law cope with data being at once a fundamental 
human right and a commodity? 


5.2 The GDPR: From Confidentiality to Data Control 


When every Thing that is around, on, and in us collects granular data about us, 
sends it back to the manufacturer, and shares it with an unknown number of third 
parties, there is no doubt that our rights to privacy and data protection are at 
stake. Despite its shortcomings (e.g. excessive compliance burdens for smaller 
businesses), '+ the GDPR constitutes a progress in the protection of personal data 
insofar as it attempts to restore users’ control over their own data. In light of the 
complex data flows that characterise IoT sensing and actuating — and the associ- 
ated likelihood that data will be used in unforeseeable ways and by unknown 
parties — data control has become more important than data confidentiality. As 
the IoT heralds ‘a data-sharing storm where there are no controls or safeguards 
on what data is shared, who it is shared with, or for what purposes data is used or 
re-used,’!> the GDPR can be regarded as a safe port. 

Effective as of May 2018, the GDPR replaced the Data Protection Directive!® 
and increased the protection of personal data throughout the EU. It applies to 
personal data processed by entities that are either established in the EU or tar- 
get EU residents.'’ Although it mostly codifies best practices that developed 
under the previous regime,'* the GDPR is usually regarded as an advancement 
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in data protection for a twofold reason. First, high fines incentivise its compli- 
ance. France’s data protection authority CNIL e.g. imposed a EURSOM fine 
on Google over the company’s opaque privacy policy and lack of legal basis 
for personalised ads.!? Recent research shows, however, that GDPR fines have 
limited, if any, deterrence effect.?° Second, the GDPR is a regulation as opposed 
to a directive. This means that it is directly applicable in all member states;?! 
the latter have adopted implementing measures to regulate those aspects where 
the GDPR left room for national tailoring.?? Some countries, e.g. Italy? and 
France,”* proceeded by amending their existing data protection statutes. Oth- 
ers, such as the UK and Spain, repealed the pre-existing statutes” and replaced 
it with new, GDPR-compliant legislation.”° To dispel any confusion related to 
the effect of Brexit on UK data protection law, the Data Protection Act 2018 
incorporated and supplemented the GDPR.?” The retention of the same rules 
as the EU after Brexit through the so-called UK GDPR should guarantee the 
continuity of EU-UK data flows.’ There are strong incentives to maintain con- 
vergence, since EU personal data-enabled services exports to the UK are worth 
approximately £42bn, and exports from the UK to the EU are worth £85bn.”? 
Accordingly, the UK government is seeking an adequacy decision, i.e. the Euro- 
pean Commission’s confirmation that a non-EEA country provides an adequate 
level of personal data protection.*° Since the IoT, where Things are compos- 
ite and provided through a complex supply chain, is intrinsically international, 
ensuring smooth data flows will be of utmost importance for the functioning of 
the IoT. 
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The GDPR is not as much about privacy as it is about control. Especially if 
privacy is interpreted as secrecy. This may seem counterintuitive. Indeed, pseud- 
onymisation is one of the measures that the GDPR recommends,*! and companies 
tend to anonymise data as an attempt to bring the processing outside of the scope of 
the GDPR.* Such a strategy is based on the fact that principles of data protection 
should not apply to anonymous information.*? However, it does not consider that 
anonymisation alleviates companies of the burden of GDPR compliance only inas- 
much as the data subject is no longer identifiable.” The IoT, however, ushers is an 
era of reidentification, as Things provide new ways to deanonymise data flows.*> 

The misunderstanding of the GDPR as a privacy — and even secrecy — law 
has led to risks for citizens. The reliance on anonymisation and other forms 
of confidentiality-focused, privacy-enhancing technologies is leaving data ‘re- 
identifiable by capable adversaries while heavily limiting controllers’ ability to pro- 
vide data subject rights, such as access, erasure and objection, to manage this risk.’>° 
The point is that the GDPR espouses a concept of data protection that focuses on 
control rather than on privacy as confidentiality.*” Data control is exercised through 
rights such as access, rectification, and portability. This is consistent with the GDPR’s 
goal to facilitate the free flow of personal data within the Union’? and eliminate the 
differences between national laws that are regarded as an obstacle to the pursuit of 
economic activities at the level of the Union and distort competition.*? In this sense, 
the argument is put forward that the GDPR is underpinned by a philosophy of open- 
ness and control rather than of secrecy and privacy. Such philosophy is pivotal to 
using the GDPR to tackle the main data protection issues in the IoT. 


5.3 Data Protection Issues in the IoT 


The Article 29 Working Party’s opinion on the IoT*® provides an analytical 
framework for the main data protection issues in the IoT. Although the opinion 


31 GDPR, art 6(4)(e). 

32 Michael Veale, Reuben Binns and Jef Ausloos, ‘When Data Protection by Design and Data Subject 
Rights Clash’ (2018) 8 IDPL 105. 

33 GDPR, art 4(1). 

34 GDPR, recital 26. 

35 Jose Luis Canovas Sanchez, Jorge Bernal Bernabe and Antonio F Skarmeta, ‘Towards Privacy 
Preserving Data Provenance for the Internet of Things’ 2018 IEEE 4th World Forum on Internet of 
Things (WF-IoT) (IEEE 2018) <https://ieeexplore.ieee.org/document/8355229/>. 

36 Veale, Binns and Ausloos (n 32). 

37 Article 29 Working Party and Working Party on Police and Justice, ‘The Future of Privacy: Joint Contri- 
bution to the Consultation of the European Commission on the Legal Framework for the Fundamental 
Right to Protection of Personal Data’ (2009) WP 168; Seda Giirses, ‘Can You Engineer Privacy?’ (2014) 
57 Communications of the ACM 20. The Article 29 Working Party, pan-European advisory group in 
matters of data protection, has been replaced by the European Data Protection Board on 25 May 2018. 

38 GDPR, recitals 6 and 9. 

39 GDPR, recital 9. 

40 Article 29 Working Party, ‘Opinion 8/2014 on the Recent Developments on the Internet of Things’ 
(2014) WP 223. 


240 The Internet of Loos 


considered the data protection issues in the IoT with reference to the Data Protec- 
tion Directive, the framework needs only minor adapting. Indeed, for the most 
part, the GDPR can be regarded as the codification of best practices that devel- 
oped under the Data Protection Directive;*! therefore, most of the considerations 
that the Article 29 Working Party made retain their validity. The framework has 
also been adapted to take account of phenomena on which only recently the 
scholarly debate has started developing, namely, the status of inferences and the 
threat of digital dispossession. 
The main data protection issues in the IoT relate to: 


(i) Lack of control and information asymmetry; 
(ii) Quality of consent; 
(iii) The contested status of inferential data; 
(iv) The chimera of anonymisation; 
(v) The shift of the compliance burden from the IoT company to the end user; 
and 
(vi) Digital dispossession. 


5.3.1 Lack of Control and Information Asymmetry 


First, lack of control‘? and information asymmetry*® are intertwined issues. The 
difficulty to control how Things interact and to know which data the Thing sends 
back to the manufacturer makes it difficult to assert data control, especially 
because IoT companies keep these practices secret. Similar issues arise with big 
data and cloud computing, but as noted by the Article 29 Working Party, the pos- 
sibility to combine data from multiple sources exacerbates the loss of control.“ 
This is perhaps best illustrated by IoT-enabled third-party monitoring, which may 
lead to the user losing control over how their data is processed. IoT systems are 
characterised by a high level of automation. Thing-to-Thing communication can 
take place automatically, without the end user being aware of it. As an example 
of lack of control in the IoT, digital advertising company Improve Digital points 
out in its privacy policy that its clients sell advertising space on Things and that 
‘for most of such devices it is not possible to generally not allow cookies or opt- 
out, although you can often remove all cookies.’*> Whilst direct marketing can act 
as a legitimate interest under the GDPR* — and therefore controllers would not 
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need to seek the data subject’s consent when processing data for direct market- 
ing purposes — the use of cookies or similar identifiers requires consent under 
the e-Privacy Directive.“ Moreover, even though the legitimate interests of third 
parties may justify the relevant monitoring, data subjects (including IoT users) 
have a right to object to that processing of their personal data. In principle, this 
is not an absolute right, because data controllers could demonstrate compelling, 
overriding, and legitimate grounds for the processing.** However, data subjects 
have an absolute right to object to processing, including third-party monitoring, 
if this is for direct marketing purposes: IoT companies will have to immediately 
stop processing for such purposes.” It would be regrettable if IoT data control- 
lers could invoke the limitations and complexities of the Things as an excuse to 
deprive end users of the control over their data. 


5.3.2 The Quality of Consent 


A closely interwoven issue has to do with the quality of the IoT user’s consent.*° 
From a technical point of view, consent in the IoT is problematic mainly for two 
reasons.*! A first technical issue is that ‘[r]esource heterogeneity and limitations are 
found in connectivity, computational power, storage,’** as well as in input/output, 
which refers to devices used to communicate with computers, e.g. keyboards and 
monitors. As an example of such limitations, one can think of the limited size 
of Things’ screens or the lack of screens. Chapter 3 has already shown that this 
limitation hinders the compliance with precontractual duties of information. This 
limitation makes it also hard for IoT companies to provide appropriate privacy 
notices and for their users to input privacy choices. Accordingly, it has been con- 
vincingly argued that the ‘existing privacy frameworks that rely heavily on a notice 
and choice model do not effectively safeguard consumers in the IoT setting.’*+ A 
second technical issue that makes consent in the IoT problematic is device identity. 
Traditional authorisation systems used to decide whether a requester of a resource 
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has sufficient permissions are not entirely applicable to the IoT." A privacy pol- 
icy needs to state exactly who interacts with what data, when, where, how, and 
why. This conflicts with the objective of easy-to-understand policies, especially 
in the IoT context. Pointing out all possible data interactions is challenging at best 
and detrimental to understanding at worst. However, consent can be regarded as 
‘informed’ only if the user has sufficient knowledge of the risks and benefits of 
disclosing information to make a reasonable evaluation.°° 

The GDPR set a high standard of consent, which has to be informed, freely 
given, specific, unambiguous, granularity, easy to withdraw, and demonstrable. 
Consent can hardly be regarded as informed in most IoT scenarios, where users 
are unlikely to be aware of their Things’ processing activities. Informed consent 
has been regarded as unattainable in the IoT because one of its key features is 
sensor fusion, which consists of ‘combining sensor data or data derived from dif- 
ferent sources in order to get better and more precise information than would be 
possible when these sources are working in isolation.’>’ Sensor fusion contributes 
to ‘the near impossibility of truly de-identifying sensor data.’>* Therefore, data 
controllers had better not rely on consent as a valid justification for processing.° 
This is also due to the fact that Things are ubiquitous and tend to disappear, while 
the relational black box makes it arduous to map the players involved in the data 
flows. This is all the more true when data controllers state that the alternative to 
consenting is not to access certain services or features. 

Consent must be freely given, and this does seem the case here. Especially 
because, when assessing whether consent is freely given, account has to be 
given to whether the performance of the contract ‘is conditional on consent to 
the processing of personal data that is not necessary for’®! the performance. IoT 
companies cannot make the functioning of their virtual assistant conditional to 
consenting to interest-based advertising. 

The requirements for consent to be informed and freely given is not an inno- 
vation of the GDPR. The Data Protection Directive already imposed these 
requirements, alongside requiring consent to be specific and unambiguous.” 
Specific means that consent must be given in relation to ‘one or more specific 
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purposes’® and that a data subject has a choice in relation to each of them. This 
requirement is closely interwoven with the principle of purpose limitation, 
whereby personal data has to be ‘collected for specified, explicit and legitimate 
purposes and not further processed in a manner that is incompatible with those 
purposes.’® IoT’s ‘repurposing’ challenges both the requirement that consent be 
specific and the principle of purpose limitation. Repurposing is a critical char- 
acteristic of IoT systems, dependent on their (inter)connectivity and system-of- 
systems dimension. It can be understood as the phenomenon whereby an IoT 
system ends up being used for purposes other than those originally foreseen in 
two scenarios: 


(i) The communication within the relevant subsystem and among subsystems 
can lead the system to perform actions and produce information which the 
single Thing was incapable of or that could not be foreseen by its manufactur- 
ers; and 

(ii) Under certain conditions (e.g. an emergency), the system may reconfigure 
either in an automated fashion or a user-initiated one. 


IoT’s repurposing has an ambiguous relationship to the purpose limitation prin- 
ciple. On the one hand, it is virtually impossible for data controllers to foresee and 
therefore specify all the purposes the Thing may process data for. On the other 
hand, controllers may argue that as repurposing is core feature of the IoT, when 
using Things consumers expect the reuse of their data. In other words, the IoT 
could be seen as pushing the boundaries of what is to be regarded as a compatible 
purpose under the purpose limitation principle. 

For consent to be valid, it also needs to be unambiguous. Under the Data Protec- 
tion Directive, ‘unambiguous’ meant the ‘indication of wishes by which the data 
subject signifies his agreement to personal data relating to him being processed.’®” 
In theory, this meant that opt-out mechanisms (e.g. preticked boxes) would have 
complied with this requirement. In practice, the Article 29 Working Party clarified 
that a clear affirmative action was needed.® This position was finally adopted by 
the GDPR.® Silence, preticked boxes, or inactivity cannot be regarded as meet- 
ing the standard.”° Accordingly, IoT companies that give users the possibility ‘to 
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opt out of certain other types of data processing by updating your settings on the 
applicable . . . device’?! are not relying on a valid consent.” 

The innovations of the GDPR as far as consent is concerned are — alongside 
clearer rules regarding the pre-existing requirements — the new requirements of 
granularity, ease of withdrawal, and demonstrability. The heightened standard for 
consent under the GDPR and the ‘increase of personal data collection, use and 
re-use, will make consent a major problem for IoT players.’” 

‘Granular’ means that there should be separate consent options for different 
types of processing, and if the data subject’s consent is given in the context of 
a written declaration which also concerns other matters, ‘the request for con- 
sent shall be presented in a manner which is clearly distinguishable from the 
other matters, in an intelligible and easily accessible form, using clear and plain 
language.’”* Practically, this means that IoT companies cannot bury consent in a 
long document that deals also with non-privacy-related matters (e.g. the terms of 
service).”> 

IoT users should be free to withdraw their consent at any time and with the 
same ease that characterised the giving of the consent.” This means that when 
consent is obtained via electronic means ‘through only one mouse-click, swipe, 
or keystroke,” IoT companies cannot impose more cumbersome procedures to 
withdraw consent. 

Finally, consent must be demonstrable. Indeed, the controller — the IoT 
company in our scenario — must be able to ‘demonstrate that the data subject 
has consented to processing of (their) personal data.’’® This is an application 
of the overarching principle of accountability that the GDPR introduced to 
make clear that compliance as such is not enough: controllers must keep accu- 
rate records of their processing activities and of the ways they comply with 
the GDPR.” Accordingly, IoT companies must retain proof of a valid consent 
as long as the processing lasts, and after the processing ends, for as long as it 
is necessary for compliance with a legal obligation or for the exercise of legal 
claims.®° The lack of accountability in the IoT precludes meaningful engage- 
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ment by users with their personal data and ‘poses a key challenge to creating 
user trust in the IoT and the reciprocal development of the digital economy.’®! 
Accountability is rendered difficult by loT’s inadequate consent mechanisms, 
opaque distributed data flows, and lack of adequate interfaces; therefore, IoT 
companies have to invest sufficient resources in finding creative solutions to 
demonstrate compliance. *? 

In the context of wearables and the related processing of sensitive personal 
data, it has been observed® that too rigid an interpretation of consent may stifle 
innovation; accordingly, self-regulation has been recommended as a solution. 
However, as noted in Chapter 1, self-regulation does not appear to be the best 
regulatory approach when private entities have incentives to behave in ways 
that are not conducive to the common good. Conversely, at least some of the 
issues of consent in the IoT can be overcome by moving ‘past reliance on con- 
tractual T&C (and) use the concept of trajectories.’*+ The concept of trajectories 
has been developed by human-computer interaction (HCI) scholars.85 HCI is a 
domain of technology design that ‘prioritises understanding the social context 
of technology, questioning the interactions and relationships between end users 
and technology.’®* Trajectories are a ‘conceptual framework for understanding 
cultural user experiences’®’ and for designing interactive user experiences. Tra- 
jectories share in common that ‘they take their participants on journeys (that) 
may pass through different places, times, roles and interfaces.’** IoT designers 
could adopt this framework to embed a GDPR compliance in the users’ tra- 
jectory, thus improving the overall experience. Trajectories’ designers have to 
consider factors such as the interfaces, the physical space, and the actors.8° This 
means e.g. that as opposed to providing all information upfront, ‘information 
can be spread over the lifetime’ of the user-Thing relationship. This multidis- 
ciplinary approach is certainly promising, although it is still unclear how to pro- 
vide incentives to push IoT companies to embrace HCI principles in the design 
of their GDPR compliance. 
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5.3.3 The Contested Status of Inferential Data 


The value in IoT data stems often not from the data itself but from the infer- 
ences IoT companies can make from it.®' The status of inferences as personal 
data is contested.” The IoT requires pervasive collection and ‘linkage of 
user data to provide personalised experiences based on potentially invasive 
inferences.” The joint operation of IoT-produced big data, improved data- 
mining techniques, and combination of data from multiple sources leads to 
the creation of highly valuable inferences about the user’s behaviour and vul- 
nerabilities. This is problematic for a twofold reason. Analytics is moving 
from being merely predictive to giving IoT companies the power to change 
the way the individual actually behaves. There is evidence that people cen- 
sor themselves when they know that they feel that they are being watched.” 
Moreover, these inferences may not necessarily be regarded as personal data, 
which would bring the processing outside of the scope of the GDPR. If this 
thesis prevails, loT companies may sidestep the principle of purpose limitation 
and reuse inferred data for purposes that go beyond the original purpose for 
which data had been collected, thus giving rise to the threat of function creep.” 
Besides, users could not invoke the right to rectify®* inaccurate and unreason- 
able inferences, which is alarming, as inferences are unverifiable and ‘create 
new opportunities for discriminatory, biased, and invasive decision-making.’ 
Accordingly, it has been argued’! that a new ‘right to reasonable inferences’ 
is needed to help close the accountability gap currently posed by high-risk 
inferences. The proposal has two drawbacks. First, it is characterised by the 
same rights-based approach that negatively affects the GDPR; the effectivity 
of data protection ends up depending on the individual citizen, who has scarce 
resources and knowledge to sue IoT big tech.” Second, albeit imperfect, the 
GDPR provides tools against abuses regarding inferred data. The starting point 
is that inferential data is personal data, and therefore the GDPR applies. Indeed, 
personal data includes information that even potentially and indirectly identify 
a natural person; such a broad interpretation predates the GDPR and dates 
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back to the Convention 108 of 1981.!°° The CJEU, ECtHR, and national courts 
tend to interpret the concept broadly, including inter alia IP addresses!°! and 
the body temperature recorded by portable thermal cameras.!°? Although the 
right not to be subject to automated decisions!™ is unlikely to apply to infer- 
ences, lacking a significant ‘decision,’ the rules on profiling apply regardless 
of a solely automated decision.'™ Profiling consists of any form of automated 
processing of personal data to analyse an individual’s personality, behaviour, 
interests, and habits to make predictions or decisions about them. !°5 The defini- 
tion is broad enough to encompass most inferences. And indeed, as noted by 
the Article 29 Working Party, profiling is ‘often used to make predictions about 
people, using data from various sources to infer something about an individual, 
based on the qualities of others who appear statistically similar.’!°° This means 
that IoT companies whose business model relies on inferences have to actively 
inform the data subject about profiling and carry out a Data Protection Impact 
Assessment.!°7 Moreover, the principle of accuracy will apply!’ and IoT com- 
panies will have to put in place appropriate processes to check that personal 
data, including inferences, is correct and not misleading.'!° The importance 
of accurate inferences was also underlined by the Council of Europe, which 
stressed the importance of data quality and recommended that the data control- 
ler ‘periodically and within a reasonable time reevaluate the quality of the data 
and of the statistical inferences used.’!!° Accordingly, IoT companies should 
be proactive in correcting data inaccuracy factors and in limiting the risks of 
errors inherent to profiling. 


5.3.4 The Chimera of Anonymisation 


There are intrinsic limitations on the possibility to remain anonymous when using 
Things. This is problematic since anonymisation is identified as a best practice 
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in data processing, especially when profiling.!!! The IoT makes robust anonymi- 
sation difficult for a fourfold reason. First, Things and IoT systems produce an 
abundance of data, as exemplified by the fact that UK smart meters generate 21.2 
billion megabytes of data each year.'!* Second, this data is more granular because 
of the possibility to recombine data coming from multiple sources, also thanks to 
more refined tracking techniques. Using signals that can be heard from a user’s 
Things but not from the user themselves, IoT traders can map all the Things used 
by the same user, which makes cross-device tracking easier.'!? Third, the data 
produced by Things and IoT systems provides information that relates to the most 
intimate aspects of an individual’s life. This is because they are ubiquitous and 
can access the most private spaces, including the home and the body. Finally, 
Things that are in close proximity to the data subject (e.g. wearables) result in the 
availability of stable identifiers (e.g. multiple MAC addresses)''* that lead to the 
creation of a unique fingerprint.!!> In light of the above — and thanks to the ensu- 
ing data power'!® that IoT companies hold — anonymous data can be easily linked 
back to individuals.!!7 


5.3.5 The Shift of the Compliance Burden from the IoT Company 
to the End User 


The burden of compliance with the GDPR is gradually shifting from IoT com- 
panies to other players, including the end user. Connected to the issue of lack 
of control over one’s own data, this shift is the result of the convergence of two 
jurisprudential trends regarding joint controllership and the household exemp- 
tion.!!8 On the one hand, as noted in Chapter 1, we are witnessing the rise of 
joint controllership, that is, the situation where two or more controllers jointly 
determine the purposes and means of processing. As seen in Wirtschaftsakademie 
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Schleswig-Holstein (the Facebook fan page case),!!° joint controllership means 
that data subjects / end users will increasingly be recognised as data controllers 
and therefore bound by the GDPR’s principles and obligations.'7° Whilst joint 
controllership may increase the level of data protection in the IoT by making 
it easier to find someone accountable in the complex IoT supply chain, it could 
also have negative effects. It has been noted!*! e.g. that developers of privacy- 
enhancing technologies for the smart home may fall within the definition of joint 
controllers even when they do not have access to any personal data.!?? On the 
other hand, one needs to consider the strict interpretation given by courts to the 
household exemption. Under this exemption, the processing of personal data ‘by 
a natural person in the course of a purely personal or household activity’!” falls 
outside the scope of the GDPR. To escape liability under the joint controllership 
scheme, an IoT user may invoke the household exemption. However, the CJEU 
has been interpreting it rather narrowly.'*4 In Rynes!*> it was held that the user 
of a CCTV that recorded the entrance to his home, the public footpath, and the 
entrance to the house opposite could not invoke the household exemption. Indeed, 
since the video surveillance covered ‘even partially, a public space,’!”° it could not 
be regarded as a purely personal or household activity. This is despite the Data 
Protection Directive, applicable at that time, clarifying that household activities 
can be exempt despite the incidental inclusion of third parties’ personal data.'?’ 
More recently, Jehovan todistajat clarified that the exemption is precluded not 
only when the processing extends to public spaces but also when there is access 
by an ‘unrestricted number of people.’ !?8 Amazon-owned Ring has launched the 
‘Always Home Cam,’ an indoor security drone to scare off burglars.!”? The drone 
may end up recording the burglar before and after the break-in, outside the home. 
It would seem that the household exemption would not apply to this scenario. 
Similar considerations are likely to apply to the Things that we wear (wearables) 
and carry with us, thus allowing them to potentially record data in public spaces. 
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As to the issue of the accessibility of the data by an unrestricted number of people, 
one could argue that Things designed to routinely send back data to the manufac- 
turer provide opportunities for such an unrestricted access and therefore pre-empt 
the applicability of the exemption. The above considerations, combined with the 
fact that the CJEU has ‘never ruled in favour of a claim of the exemption,’ 13° make 
it unlikely that an IoT user could successfully invoke the household exemption, 
even when it comes to smart home processing, and that, in turn, the application of 
the joint controllership regime will lead to a shift of the burden in GDPR compli- 
ance from the IoT company to the data subject-user. 


5.3.6 Digital Dispossession 


Finally, digital dispossession is another issue that the Article 29 Working Party 
overlooked.!3! IoT companies attempt to appropriate and otherwise control both 
the algorithms that underpin the IoT system and the data that this system pro- 
duces. Leveraging a portfolio of big data and intellectual property rights (espe- 
cially trade secrets), IoT companies put in place novel extractive practices that 
can negatively affect citizens, who are often unaware of them due to a technical 
and legal secrecy. ‘Technical’ secrecy results from the opacity of the algorithms 
that underpin the IoT, especially when Al-enabled. ‘Legal’ secrecy, in turn, come 
from a combination of trade secrets, proprietary software, and contracts that keep 
IoT data practices secret. Thanks to the data power that IoT big players hold, 
they can take advantage of their dominant position to impose contracts that pur- 
port to justify unfair and opaque practices, including the appropriation and reuse 
of personal as well as nonpersonal data. As a study of the neoliberal smart city 
showed, ‘data lies at the heart of most power relations today.’ 13? IoT companies’ 
proprietary strategy can harm citizens in manifold ways. It can affect their pri- 
vacy because it allows for surreptitious forms of monitoring and surveillance. It 
can also affect their autonomy and self-determination because IoT data allows 
companies to exploit users’ biases and vulnerabilities to manipulate them.!33 It 
can even affect their dignity, when IoT data includes protected characteristics that 
allow companies to discriminate against certain categories of citizens.'*+ Follow- 
ing the brutal killing of George Floyd, tech companies started announcing that 
they would stop selling facial-recognition software to law enforcement because 
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it’s inherently biased against BAME people.'*> However, the same companies 
often kept entering into agreements with the police, allowing for forms of biased 
policing and surveillance. This was well illustrated by Amazon’s Ring — ‘smart’ 
home doorbell —which allowed (and still does) users to share concerning video 
footage with the police: reports!** have found that a disproportionate number of 
incidents involve people of colour. A most pressing and understudied issue, the 
next section will shed light on the concept of digital dispossession in the context 
of IoT-enabled surveillance capitalism. 


5.4 Surveillance Capitalism and IoT Apparatus: From 
Prediction to Execution 


The role of private corporations in appropriating private resources (e.g. labour) 
and the commons (e.g. natural resources) has long been the subject of investiga- 
tions. A particular contribution has been provided by Marxist scholars, including 
legal scholars, who underlined how the law enabled and facilitated the processes 
of capitalistic accumulation and exploitation.'>’ Conversely, until recently, most 
ignored that a new variant of capitalism is on the rise, and it has to do with private 
corporations’ exploitation of personal data. This is the focus of one of the few 
law books to recently acquire the status of bestsellers, Surveillance Capitalism by 
Shoshana Zuboff,!38 which was considered, perhaps emphatically, ‘Das Kapital 
of the digital age.’ 13° 

‘Surveillance capitalism’ is a concept that Zuboff coined in 2014.!*° It illumi- 
nates a new form of power generated by big data, an unprecedented threat to demo- 
cratic values as it operates through ‘unexpected and often illegible mechanisms 
of extraction, commodification, and control that effectively exile persons from 
their own behaviour.’!*! While not only about the IoT, this book underscores that 
‘although it may be possible to imagine something like the “internet of things” 
without surveillance capitalism, it is impossible to imagine surveillance capitalism 


135 Emily Birnbaum and Issie Lapowsky, ‘Amazon, Facing Pressure, Won’t Provide Facial 
Recognition to Police for a Year’ (Protocol, 10 June 2020) <www.protocol.com/amazon-facial- 
recognition-police>; ‘IBM Abandons “biased” Facial Recognition Tech’ BBC News (9 June 2020) 
<www.bbc.com/news/technology-52978191>. 

136 Caroline Haskins, ‘Amazon’s Home Security Company Is Turning Everyone Into Cops’ (Vice, 
7 February 2019) <www.vice.com/en_us/article/qvyvzd/amazons-home-security-company- 
is-turning-everyone-into-cops>. 

137 David Harvey, The New Imperialism (OUP 2003). 

138 Zuboff, Surveillance Capitalism (n 12). 

139 Hugo Rifkind, ‘Review: The Age of Surveillance Capitalism by Shoshana Zuboff — Das Kapital 
for the Digital Generation’ The Times (18 January 2019) <www.thetimes.co.uk/article/review- 
the-age-of-surveillance-capitalism-by-shoshana-zuboff-das-kapital-for-the-digital-generation- 
mb39mjk2s>. 

140 Shoshana Zuboff, ‘A Digital Declaration’ Frankfurter Allgemeine (15 September 2014) <www. 
faz.net/1.3152525>. 

141 Shoshana Zuboff, ‘Big Other: Surveillance Capitalism and the Prospects of an Information Civi- 
lization’ (2015) 30 Journal of Information Technology 75. 


252 The Internet of Loos 


without something like the “internet of things.’”'” At a higher level, Surveillance 
Capitalism is a book about power. Specifically, it is a book about the way big 
techs exercise power. As such, it can be seen as complementary to another notable 
contribution to contemporary scholarship, namely, Re-engineering Humanity by 
Brett Frischmann and Evan Selinger,'*? who focus on how these companies use 
new technologies, including the IoT -which the authors rebranded ‘smart techno- 
social environment’!*4 — to change those subjected to power: us. The IoT risks 
erasing the ‘freedom to be off, to be free from systemic, environmentally archi- 
tected human engineering.’!*> Alongside power and its subjects, the law is the third 
element of the equation. This is at the centre of a third germinal book, Between 
Truth and Power by Julie E. Cohen,'*° who focuses on how the law is changing 
in the networked information age.'*’ The law is closely intertwined with code (or 
design) and political economy: ‘through their capacities to authorize, channel, and 
modulate information flows and behavior patterns, code and law mediate between 
truth and power.’!48 Whilst these books beautifully complement each other and are 
of great importance, this chapter will focus on Surveillance Capitalism because 
it analyses more closely the IoT as an expression of capitalistic power and con- 
tributes to the understanding of digital dispossession. Zuboff has been criticised 
because she would fail to appreciate the critical role that law plays in the construc- 
tion and persistence of private power; conversely, informational capitalism would 
be ‘contingent upon specific legal choices.’'*? This argument is based on the opti- 
mistic assumption that anticapitalistic resistance can be built into the law, whilst I 
would argue that the solution can only be found beyond the law. 

In adopting Zuboff’s book as an analytical framework, this chapter will depart 
from it to the limited extent required by my belief that surveillance capitalism 
is a mere variant of industrial capitalism and that both should be criticised for 
the exploitation of the vulnerable: yesterday the factory’s workers, today the 
IoT’s ‘smart’ users. Although Zuboff does not attempt a critique of capitalism as 
a whole, it can be argued that surveillance capitalism is a continuation of infor- 
mation capitalism that goes back to the Sixties, when American economists!*° 
started analysing the knowledge industry and understood that our society was 
already transitioning to an economy based on knowledge. Informational capital- 


142 Zuboff, Surveillance Capitalism (n 12) 195. Emphasis added. 

143 Brett M Frischmann and Evan Selinger, Re-Engineering Humanity (CUP 2018). 

144 ibid esp 102 ff. 

145 ibid 124. Italics in the text. 

146 Julie E Cohen, Between Truth and Power: The Legal Constructions of Informational Capitalism 
(OUP 2019). 

147 For a comparison between Cohen’s and Zuboff’s books, see Amy Kapczynski, “The Law of 
Informational Capitalism’ (2020) 129 Yale Law Journal 1460. 

148 Cohen (n 146) 1. Italics in the text. 

149 Kapezynski (n 147) 1460. 

150 Fritz Machlup, The Production and Distribution of Knowledge in the United States (PUP 1962); 
Peter F Drucker, The Age of Discontinuity: Guidelines to Our Changing Society (Harper and Row 
1969). 


The Internet of Loos 253 


ism evolved out of industrial capitalism in the seventies, when computer tech- 
nologies became common in the most developed countries, and it boomed in the 
nineties when investments in information technologies contributed to productivity 
increases on a grand scale.'>! Information technologies led to what Castells called 
the network logic; networks were seen as constituting ‘the new social morphol- 
ogy of our societies, and the diffusion of networking logic substantially modifies 
the operation and outcomes in processes of production, experience, power, and 
culture.’ !5? 

Surveillance capitalism can be regarded as the current developmental stage of 
informational capitalism,'*? where the ‘capture, rendering and analysis of behav- 
ioural data allow private companies to modify citizens’ behaviour by cultivating 
‘radical indifference . . . a form of observation without witness.’ !>4 The focus on 
the production of ‘new markets of behavioural prediction and modification’ !55 is 
what differs. Whilst many had already studied the legality of predictive analytics, 
the element of behavioural modification had been mostly ignored. That is where 
the real danger lies — and that is where the IoT, with its combination of sensors 
and actuators, shows to be pivotal to surveillance capitalism. In the IoT, data is the 
main commodity, and the users can be regarded as data producers.!*° By appro- 
priating this commodity and controlling the means of production, surveillance 
capitalists treat us as industrial capitalists treat their workers — except that now we 
are not even aware of being workers. !>’ 

Surveillance capitalists regard citizens as the by-product of the data they and 
their Things produce. Companies such as Google and Facebook rely on a con- 
tinual process of ‘digital dispossession.’ This concept is rooted in the social the- 
ory of ‘accumulation by dispossession’ developed by David Harvey.!58 Though 
Zuboff refers to Harvey without much elucidation, it is worth keeping in mind 
that the social theorist criticised Marx!® and Rosa Luxemburg! for relegat- 
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ing accumulation based upon predation and violence to an ‘original stage’ that 
they considered outside of the capitalistic system — the so-called primitive accu- 
mulation.!®! In Marxist terms, primitive accumulation is the prehistory of capi- 
tal as it is the ‘historical process of divorcing the producer from the means of 
production.’'® The capitalist system presupposes the ‘complete separation of 
the labourers from all property in the means by which they can realize their 
labour.’'®? To achieve such separation — in other words, to allow capitalists to 
own the means of production and subjugate labourers — one need consider the 
history of violent dispossessions that is rooted in the enslavement of feudalism, 
colonialism, and the enclosures that created a landless proletariat.'® This primi- 
tive accumulation, albeit important to understand capitalism, is not the result of 
the capitalistic mode of production; according to Marx, it is its starting point. 165 
This is where Harvey differs, and I would concur. His phrase ‘accumulation by 
dispossession’ intends to underline the persistence of predatory practices of accu- 
mulation of capital: it is a call for a ‘general re-evaluation of the continuous role 
and persistence of the predatory practices of “primitive” or “original” accumula- 
tion within the long historical geography of capital accumulation.’ 166 Contempo- 
rary capitalism is all about predation, fraud, and thievery, as epitomised by the 
wave of financialisation that set in after 1973 and its ‘[s]tock promotions, ponzi 
schemes, structured asset destruction through inflation, asset-stripping through 
mergers and acquisitions, and the promotion of levels of debt incumbency that 
reduce whole populations . . . to debt peonage.’!®? Accumulation by disposses- 
sion had one of its most tragic moments with the collapse of Enron dispossessing 
many of their pension rights, and the financial crisis of 2007—2008, which shed 
light on the new proletariat of subprime mortgagors. 

Zuboff builds on the idea of accumulation by dispossession to present the 
concept of digital dispossession. To give it some context, she refers to Google’s 
cofounder Larry Page’s answer to the question ‘What is Google?’: 


If we did have a category, it would be personal information. . . . The places 
you’ve seen. Communications. . . . Sensors are really cheap. . . . Storage 
is cheap. Cameras are cheap. People will generate enormous amounts of 
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data. . . . Everything you’ve ever heard or seen or experienced will become 
searchable. Your whole life will be searchable.'% 


The IoT, with its ubiquitous and cost-effective sensors, allow surveillance capital- 
ists to extract information about any aspect of the human experience at virtually no 
cost, and this can be ‘rendered as behavioral data, producing a surplus that forms 
the basis of a wholly new class of market exchange.’!® Surveillance capitalism 
‘originates in this act of digital dispossession.’ !™ While surveillance capitalists 
acquire this data, we, as citizens, lose it without gaining anything meaningful in 
return. Indeed, market power is protected by ‘moats of secrecy, indecipherabil- 
ity, and expertise. ... [W]e are exiles from our own behavior, denied access to 
or control over knowledge derived from its dispossession by others for others.’!7! 
The IoT overlords observe us to generate detailed profiles about our beliefs, pref- 
erences, vulnerabilities. These profiles, created by means of digital disposses- 
sion, are kept secret by means of technical, organisational, and legal secrecy,'” as 
technologies, such as machine learning and cryptographic techniques, are used 
to shield algorithms and other dispossessed data (e.g. inferences) from the public 
eye. There are also issues of organisational secrecy, as big tech companies operate 
under minimum transparency requirements. This chapter’s main concern regards 
legal secrecy, defined as a combination of intellectual property rights (mainly 
trade secrets), and contracts are used to prevent citizens from knowing what sur- 
veillance capitalists do with the dispossessed data. 

As the quote in this chapter’s epigraph suggests, the IoT is at the centre of sur- 
veillance capitalism. As Zuboff notices, the IoT is characterised by a vision: ‘the 
everywhere, always-on instrumentation, datafication, connection, communica- 
tion, and computation of all things, animate and inanimate, and all processes.’!” 
Of these terms, the crucial one — and perhaps the least accessible one — is instru- 
mentation. Surveillance capitalists exercise instrumentarian power: the ‘instru- 
mentation and instrumentalization of behaviour for the purposes of modification, 
prediction, monetization, and control.’!” Its theoretical basis can be identified in 
Skinner’s behaviourism.!”> His so-called operant conditioning approach stemmed 
from the belief that behaviour could be re-engineered through reinforcement. In 
the same way as a pigeon can learn to peck a button twice in order to receive a 
pellet of grain, a pervasive ‘technology of behaviour’ could condition the entire 
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human populations.'”° Instrumentarianism ‘erodes [democracy] from within, eat- 
ing away at the human capabilities and self-understanding required to sustain a 
democratic life.’!”” Its imperative is to collect information about any aspect of the 
human behaviour so that the power of surveillance capitalists can most effectively 
pursue the behavioural re-engineering of citizens. 

The IoT is pivotal to this end. As a distributed network of sensors, the IoT trans- 
forms all real-world activities into computational streams. This data, in turn, is 
subject to a two-dimensional transformation. One dimension is prediction. From 
this point of view, the IoT shares the stage with other technologies and techniques, 
such as machine learning and data mining. !”8 However, it is the second dimension 
that sees the IoT as the real, albeit not the only, protagonist: execution. Indeed, the 
‘extraction architecture is combined with a new execution architecture, through 
which hidden economic objectives are imposed upon the vast and varied field of 
behavior.’!”? This architecture is provided by the IoT, which gives surveillance 
capitalists that real-world ‘knowing and doing’!®° presence that is required from 
the prediction imperative. Zuboff sees the convergence between IoT and eco- 
nomic imperatives of surveillance capitalism as the shift ‘from a thing that we 
have to a thing that has us.’'*' Thanks to the IoT, Things are creating invaluable 
secondary data markets; Things — and, potentially, the people who carry them or 
are in their proximity — become ‘as easily indexed, searched and traded as any 
online commodity [in what IBM calls] the liquification of the physical world.’ 18? 
In other words, a major challenge in the regulation of the IoT is that the addition 
of billions of sensors to the internet’s network is allowing individual behaviour 
in the physical world to be ‘as closely tracked as online activity.’'®’ This is in line 
with the more general tendency of capitalism to subjectify the object and objectify 
the subject, as seen in Chapter 4. 

With its mix of sensors and actuators, the IoT is the perfect arm of this 
prediction-execution vision to make everything computable — and thus open to 
re-engineering. The rhetorical device used to allow the digital dispossession that 
is integral to this vision is subtle, and it goes by the names of data exhaust and 
raw data. As a by-product of our life, both online and offline, we generate huge 
amounts of data that, if not harnessed, risk going to waste, the tale goes. This is 
perhaps best illustrated through the ideas of Harriet Green, the woman behind the 
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attempt to transform IBM into ‘the Google’ of the IoT. According to Green,'*4 the 
single major obstacle to digital omniscience would be that most of the data com- 
panies’ hold is unstructured and therefore difficult to code. This data is framed 
as ‘dark,’ evil data that prevents IoT companies from being more efficient and 
creative. Accordingly, the IoT is intended to be all-encompassing: ‘any behavior 
of human or thing absent from this push for universal inclusion is dark: menac- 
ing, untamed, rebellious, rogue, out of control.’!*> Surveillance capitalists present 
digital dispossession as a service that gives value to otherwise-useless data — what 
we may refer to as ‘Dispossession-as-a-Service.’ Only by shedding light on this 
darkness, by illuminating every aspect of individuals’ private sphere, will the IoT 
unleash its potential. In line with this, the recently adopted Data Governance Act 
has put forward the concept of data altruism, whereby data subjects are encour- 
aged to share their data for the common good.'** While not without merit, this 
concept reinforces the idea that if we do not give up control over our data, we are 
being selfish as we are wasting data. In this light, the IoT becomes the best solu- 
tion to counter data selfishness and data waste by transforming everything into a 
computer, be it a fridge or a hospital bed.!*” Thus, the IoT offers the phenomenal 
opportunity to ‘translate ubiquitous data into ubiquitous knowledge and action.’ 188 

IoT’s digital dispossession, in appropriating our data with the promise of opti- 
misation, extracts value from us with little in return if not the prediction and 
transformation of our behaviour. By exercising new forms of conditioning and by 
translating us into ‘an objective and measurable, indexable, browsable, searchable 
“it”,’!89 IoT companies treat us like Skinner’s pigeons — by-products of behav- 
ioural experiments — thus perpetuating the primitive violence of capitalism and 
fully realising its panoptic vision. This is perhaps the main shortcoming of Sur- 
veillance Capitalism, which can be criticised for not dealing with the continu- 
ity between industrial capitalism and surveillance capitalism,!*° for depicting the 
emerging regime of governance for the political economy of informationalism as 
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lawless,!°! and for tending to ignore global South perspectives.!°? However, her 
‘thoroughly researched, rigorously argued’! monumental work has the merits of 
bringing back at the centre of the public debate ubiquitous corporate surveillance 
and, more generally, capitalism’s efforts to appropriate every aspect of our being, 
as well as the role of the IoT in this context. The issues in surveillance capitalism 
go beyond privacy and data protection, having to do also with other fundamental 
rights, such as self-determination and dignity. A separate book should be written 
to deal with all this. However, this chapter will more modestly focus on how to 
use data protection legislation to protect ourselves from digital dispossession by 
means of legal secrecy. 


5.5 Looking into Alexa’s Black Box 


To illustrate how digital dispossession plays out in the IoT, this section will inves- 
tigate Alexa’s black box. To do so, I will analyse the data obtained through a 
subject access request, the interactions with Amazon’s customer support centre, 
and Alexa’s privacy policy. 

It is a common misunderstanding to think that IoT data escapes data protec- 
tion laws. This belief is rooted in the assumption that all IoT data is ‘machine 
data,’ thus counting as nonpersonal data.!°4 For example, GEA, one of the largest 
technology suppliers for food processing industries, declares to deploy the IoT to 
monitor and analyse data in relation to its products with the caveat that ‘/t/ypi- 
cally, no personal data is processed in connection with any such technologies.’ 15 
This misunderstanding is based on two incorrect notions. First, it assumes that 
all IoT data is machine data. On the contrary, especially in the context of con- 
sumer IoT (e.g. smart home), the Thing can send back to manufacturers not only 
data about the Thing itself (e.g. when a movement sensor is activated) but also 
granular data about the user’s behaviour. As held by the ECtHR in PG v UK,! 
voice samples are valuable personal data. Second, even machine data can count 
as personal data, either in isolation or after recombination. An example of the first 
type is provided by Uzun v Germany!” where data about a GPS device placed in 
a car was regarded as personal data. More often, through aggregation and recom- 
bination of data from multiple Things and other sources, data that, considered 
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individually, would be nonpersonal can become personal.!*8 Thus, the IoT cor- 
roborates the idea that ‘the distinction between personal and nonpersonal data is 
likely to vanish over time.’!°® The argument can be further developed by claiming 
that one should not distinguish between ‘ordinary’ personal data and special cat- 
egories of sensitive data (e.g. health data) because new technologies allow for the 
inference of sensitive data from ordinary personal data. 

As evidence of the fact that digital dispossession practices are mostly kept pri- 
vate, one can consider Alexa as a case study. Amazon, Alexa’s provider, does 
not tell users which data they collect about them. They only disclose ‘the types 
of information [they] gather.” They merely provide ‘examples of information 
collected.’*°! This includes data provided by users (e.g. account information), 
automatic information (e.g. cookies), and data from unspecified ‘other sources’ 
(e.g. when users authorise a third-party website, such as Facebook, to interact with 
the Thing). This is inconsistent inter alia with the principle of transparency,” the 
requirements for consent,” and the right to be informed”™ as enshrined in the 
GDPR. 

Moreover, in defiance of the principle of purpose limitation,”°° Amazon does 
not disclose for which purposes data are collected and processed: they only list 
examples of such purposes, which include advertising and unspecified ‘purposes 
for which [they] seek your consent.’°° Additionally, Amazon shares users’ per- 
sonal data with Amazon.com Inc.’s subsidiaries. When I initially wrote this chap- 
ter, Amazon relied on the Privacy Shield to transfer data to the US, but only five 
of its subsidiaries were Privacy Shield—certified, which meant that it was unclear 
whether the transfers of EU residents’ personal data to the US had a legal basis. 
Recently, such uncertainty was made worse by the Schrems II case,” which 
invalidated the Privacy Shield and called into question also the other ways to 
justify international data transfers.”°° Indeed, the only ways private companies?” 
can justify these transfers to non-EEA countries are as follows. 


(1) Adequacy decision, that is, a finding by the European Commission that 
the non-EEA country where the data importer is based provides adequate 
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protection.?!° As far as the US is concerned, the Commission originally 
found their level of data protection adequate in the so-called Safe Harbour 
decision,?!! which was found invalid in the Schrems I case.?!? It 2016, it was 
succeeded by the EU-US Privacy Shield,*!? which was a partial finding of 
adequacy of the level of data protection in the US.?!4 The CJEU annulled it 
in July 2020, and as there is currently no adequacy decision covering EU-US 
data transfers, one should assess whether Amazon’s data exports are other- 
wise justified.*!> 


(ii) Binding corporate rules, a group document to which both the data exporter 


and the data importer are signatories.?!° Being internal code of conduct within 
corporate groups, it would lend itself to being used in our scenario. However, 
binding corporate rules have to be submitted to a data protection authority for 
approval, and Amazon is not among the few companies availing themselves 
this possibility.?!” 


(iii) Standard contractual clauses (also known as model clauses or standard 
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data protection clauses) have been adopted by the European Commission 
and must be entered into by the data exporter and the data importer.*!* The 
validity of the standard contractual clauses has been recently confirmed in 
Schrems II?! However, the CJEU underlined that additional safeguards 
may be necessary depending on the law and practice of the country of 
the data importer, especially if the foreign authorities may have access to 
the data.??° If the controller or the processor cannot take these additional 
measures, they have to suspend or end the transfer.*?! In particular, this 
will be the case when domestic law imposes obligations that run counter 
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to the content of the standard contractual clauses. An example of this is 
provided by US and UK authorities having access to the undersea fibre- 
optic cables that make internet communications possible.?”* The passage 
of Amazon’s Privacy Notice whereby ‘[w]e may be required to disclose per- 
sonal information that we handle under the Privacy Shield in response to 
lawful requests by public authorities’??? corroborates the concern. There is 
no indication that Amazon relies on these clauses or that it has put in place 
additional safeguards. 


(iv) Code of conduct approved by a data protection authority, if the data importer 


(v) 


(vi) 
(vii) 


is a signatory.??4 However, no approved codes of conduct are yet in use.??> 
Certification under a certification mechanism that has been approved by a 
data protection authority.?? Similarly to the codes of conduct, no approved 
certification scheme is in use. 

Bespoke contract between data importer and data exporter to govern a specific 
transfer.” No data protection authority has authorised any such contract yet.?78 
The GDPR sets out ‘derogations for specific situations’??? in the absence of 
an adequacy decision or of the appropriate safeguards detailed in ii—vi. They 
include explicit consent? and contractual performance.”*! However, these are 
true exceptions, and therefore data controllers, including IoT companies, could 
rely on them only for occasional transfers.”** Therefore, Amazon could not rely 
on the derogations for the constant data flows that Alexa-enabled Things send to 
the US. 


Finally, as discovered through a subject access request I submitted in March 2019, 
Amazon grants users access only to some of their personal data, mainly the data 


that 
and 


the user provided and the times when they interacted with Amazon’s Things 
services. To my surprise, the company thought to comply with my request by 


sending me hundreds of obscure spreadsheets, without any explanation and in a 
format that is hard to decipher, as seen in Table 5.1 below.”*? 


222 


223 
224 


225 
226 


227 
228 
229 
230 
231 
232 
233 


Roxana Vatanparast, ‘The Infrastructures of the Global Data Economy: Undersea Cables and 
International Law’ (2020) 61 Harvard International Law Journal Frontiers 1. 

Amazon Privacy Notice, point 12. 

GDPR, arts 40 and 46(2)(e), recitals 108-109 and 114. See European Data Protection Board, 
“Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’ 
679. 

ICO, ‘Guide to the GDPR’ (n 109) 266. 

GDPR, arts 42, 43, 46(2)(f), recitals 108—109 and 114; European Data Protection Board, ‘Guide- 
lines 1/2018 on Certification and Identifying Certification Criteria in Accordance with Articles 
42 and 43 of the Regulation’ (2019). 

GDPR, art 46(3)(a). 

ICO, ‘Guide to the GDPR’ (n 109) 267. 

GDPR, art 49. 

GDPR, art 49(1)(a). 

GDPR, art 49(1)(b). 

ICO, ‘Guide to the GDPR’ (n 109) 268-269. 

This is an extract from one of the spreadsheets that Amazon sent to me when I requested access 
to my personal data. 


262 The Internet of Loos 


Table 5.1 Extract from Amazon’s Reply to One of the Coauthors’ Subject Access Request 


Device Record Data Source Name?** Country of Software Version 

Time Residence 

21/03/2019 01:24 G070L8118454139U GB 288.6.3.2_user_632552020 
21/03/2019 01:24 G070L8118454139U GB 288.6.3.2_user_632552020 
21/03/2019 00:28 G090RF04743204M2 GB 288.6.3.1_user_631550720 
21/03/2019 00:28 G090RF04743204M2 GB 288.6.3.1_user_631550720 
20/03/2019 20:50 G070L8118454139U GB 288.6.3.2_user_632552020 
20/03/2019 20:25 G090RF04743204M2 GB 288.6.3.1_user_631550720 


19/03/2019 20:04 G070L8118454139U IT 288.6.3.2_user_632552020 


The data I was granted access to did not include, e.g. my ‘digital twin,’ namely, the 
profile that Amazon has been building about me — and about any other customer — 
based on my personal data.” Importantly, the copy of my data obtained upon 
request under Article 15 GDPR excluded those precious inferences that should be 
recognised as personal data, as said prior.” Amazon stores the recording of the 
user’s interactions with Alexa.”?’ Thanks to its emotion-recognition technologies, 
Amazon can extract from users’ voice valuable information about their feelings. 
Information that can be utilised to target them more effectively. This is exempli- 
fied by the patent Amazon was granted in 2018 under the ostensibly innocuous 
title ‘Indirect feedback systems and methods.’?** Thanks to this patent, Amazon 
has a monopoly on a technology that allows the company to detect users’ physical, 
emotional, and behavioural states. These states are ‘shown, heard, or otherwise 
detected in the sensed data. . . . [A] user’s facial expression and/or body language 
can provide indirect feedback as to how the user is feeling (e.g. mood).’**? As Fig- 
ure 5.1 illustrates, Amazon uses its IoT sensors to extract data about our emotions 
to serve us with ads and offers that reflect those emotions. 

Our face and our voice are rich data sources. It is crucial to keep this in mind 
when reflecting on the fact that our voice interactions with Alexa are recorded and 
thousands of Amazon employees transcribe, annotate, and feedback the recordings 
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726 724 


Figure 5.1 Drawing no 7, USPTO 10,019,489. 


into the software.” This patent is only one of the many worrying applications of 
affective computing, a field that infers people’s emotions, traits, and behaviours 
by exploiting intelligent machine learning methods and data acquired through 
Things.”4! This is a threat to citizens’ privacy, data protection, autonomy, and 
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self-determination. Interpreted in a future-proof and technologically neutral way, 
the GDPR should allow IoT users to access these inferences and to stop their use 
when in the context of solely automated decisions. Regrettably, Amazon keeps 
our emotional profile secret. Once interrogated to obtain more information about 
my data, Amazon did not comply with my requests. One may conjecture that this 
is because Amazon’s Privacy Notice subjects the rights to access, rectification, 
portability, and erasure to the ‘applicable law,” and the applicable law includes 
intellectual property law and trade secrets. Therefore, the next section will inves- 
tigate under which circumstances IoT companies can invoke this ‘legal secrecy’ to 
prevent the exercise of those GDPR rights that may otherwise help citizens fight 
against digital dispossession. 


5.6 Can the GDPR Counter IoT-Powered Digital Dispossession? 


To understand whether IoT users can invoke the GDPR to counter IoT-powered 
digital dispossession, one need critically analyse the relationship between trade 
secrets and personal data protection. Indeed, trade secrets appear to be the main 
tool used by IoT companies to digitally dispossess their users.?™® Other intellec- 
tual property rights — namely, patents on computer-implemented inventions and 
software copyright — do play a role and will be accounted for in the next chapter. 
Tensions over the control of IoT data arise at the confluence of data protection 
laws and trade secrets. Nonetheless, there has been little effort to investigate the 
interplay between these two regimes.” The same data could be covered by both 
data protection rights and trade secrets; this begs the question if and to what extent 
trade secrets can be invoked by IoT companies to reject users’ claims based on the 
GDPR.** In other words, it will be questioned whether the GDPR’s philosophy 
of data control and openness can prevail on trade secrecy or whether, by contrast, 
closed, siloed systems are the (present and) future of the IoT. 


5.6.1 The Conflict between Trade Secrets and Data Protection 


Transposed by member states in June 2017, the Trade Secrets Directive contains a 
commitment to respect the right for private and family life, the right to protection 
of personal data, as enshrined in the Charter of Fundamental Rights of the EU.?46 
It further clarifies that the GDPR**’ governs the processing of personal data that 
takes place whilst taking steps to protect a trade secret and, in proceedings on the 
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unlawful acquisition, use or disclosure of trade secrets.”** The conclusion is that 
the Trade Secrets Directive ‘should not affect the rights and obligations laid down 
in’*4° the GDPR. Considering the GDPR’s underlying philosophy, the assumption 
that the two regimes converge is debatable. An IoT company may seek its users’ 
consent to collect their data and commercialise them, but it is unclear what hap- 
pens if the users want to access that data, especially once it has been aggregated 
with other secret information and it has become difficult to isolate. Regardless 
of the directive’s statement of principle that no conflicts will arise, trade secrets 
and personal data protection do and will indeed clash. Therefore, it is crucial to 
understand how to govern such conflict. 

It should be noted that the directive’s aforementioned provisions about the rela- 
tionship to data protection are not binding as they are found in the Trade Secrets 
Directive’s recitals. The only binding provision is Article 9(4), whereby the pro- 
cessing of personal data in the course of legal proceedings relating to the unlawful 
acquisition, use, or disclosure of a trade secret must comply with the GDPR. This 
is significant for two reasons. First, it shows a single-minded conception of the 
GDPR as a confidentiality law as opposed to a data control law. Indeed, the legal 
proceedings this provision refers to are the proceedings for the ‘[p]reservation of 
confidentiality.” The national implementation measures confirm this by impos- 
ing obligations of confidentiality, but not an express duty to comply with the 
GDPR.*” Second, the fact that this is the only binding provision that refers to data 
protection may be interpreted as meaning that the rest of the trade secret—related 
processing, e.g. acquisition of the trade secret, must not necessarily comply with 
the GDPR. An analysis of the latter instrument militates against this interpreta- 
tion, as will be shown later on. 

Finally, whilst the Trade Secrets Directive does not provide unambiguous 
arguments to conclude on which regime will prevail — trade secrets or data 
protection — a pro-GDPR argument can be made starting from the exceptions 
that the directive provides. In particular, defendants can claim that the acquisi- 
tion, use, or disclosure of the secret was carried out ‘for exercising the right to 
freedom of expression and information’?! as well as for a ‘legitimate interest.’*>? 
The next chapter will delve into these exceptions. For the purposes of this sec- 
tion, suffice it to say that the GDPR can be seen as an application of the free- 
dom to access information and that data protection is a legitimate interest in 
the EU.?>3 Therefore, the unauthorised access to one’s personal data held by an 
IoT company may be regarded as lawful inasmuch as it falls within the scope 
of these exceptions. 
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Unlike the Trade Secrets Directive, the GDPR provides clearer arguments to 
conclude that in most scenarios, data protection will prevail on trade secrets. It is 
possible to construe the GDPR as meaning that IoT companies cannot use intel- 
lectual property rights as an excuse not to comply with the right to data pro- 
tection. The starting point is Recital 63, whereunder the right of access ‘should 
not adversely affect the rights or freedoms of others including trade secrets or 
intellectual property.’>4 Thus, the GDPR recognises that trade secrets and data 
protection may clash and that a balance should be struck between the right to 
maintain the secrecy of valuable commercial information and the right to access 
that information when it includes personal data. Concerns have been expressed 
that the trend to appropriate algorithms by means of trade secrets may render 
transparency unfeasible.*°> However, Recital 63 should not be interpreted as a 
blanket preference for trade secrets over data protection. To prove this point, three 
observations can be made. 

First — and this is a key difference between the GDPR and the Data Protection 
Directive?°® — Recital 63 of the GDPR clarifies that the result of trade secrets con- 
siderations ‘should not be a refusal to provide all information to the data subject.’ 
The Article 29 Working Party pointed out that the provision whereby trade secrets 
should not be adversely affected is to be interpreted narrowly; indeed, ‘controllers 
cannot rely on the protection of their trade secrets as an excuse to deny access or 
refuse to provide information to the data subject.’*>’ When it comes to the right 
of access, the GDPR recommends data controllers offer remote access to a secure 
self-service system which would, in turn, provide data subjects with direct access 
to their data.?°* The Information Commissioner’s Office — the UK’s data protec- 
tion authority — suggests that such a self-service system should not include trade 
secrets.2°? And indeed, allowing automated, remote access would not be consis- 
tent with the reasonable steps that the holder has to take to keep the commercial 
information secret; indeed, without these steps, the information would fall beyond 
the definition of trade secret.* Therefore, the indication that the right of access 
should not adversely affect trade secrets should be interpreted as a right not to allow 
remote automated access to the personal data that the company holds. However, 
IoT companies, and all data controllers, must grant access through nonautomated 
means. Companies should rigorously distinguish the data whose disclosure would 
nullify the secrecy of the relevant commercial information and the data that can be 
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disclosed without nullifying said secrecy. Should this disclosure not satisfy the user, 
a broader disclosure can be obtained through administrative or judicial proceedings. 
In these venues, access to personal data covered by a trade secret can be granted and 
will be accompanied by measures that safeguard the commercial value of the trade 
secret, for instance an order not to disclose the trade secret outside the courtroom.”®! 

Second, it is crucial to keep in mind that the GDPR refers to trade secrets as an 
example of third-party rights that one should consider when responding to subject 
access requests. The right of access should not adversely affect the ‘rights or free- 
doms of others, including trade secrets.’*® This is crucial because Article 15 of 
the GDPR, which deals with the right of access, provides that rights and freedoms 
of others should not be adversely affected by the ‘right to obtain a copy’*® of the 
data undergoing processing. This is a right to obtain a free-of-charge copy of one’s 
personal data, and it is only one of the powers that the right of access gives data 
subjects.7°* This means that rights and freedom of others, including trade secrets, 
can only adversely affect the right to obtain a copy, not the right of access as a 
whole. Indeed, under Article 15,65 the right of access gives the data subject a 
wide range of powers: 


(i) Aright to obtain confirmation as to whether one’s personal data is processed; 
(ii) A right to access the data that is being processed; 
(iii) A right to obtain a free-of-charge copy of the data; 
(iv) A right to obtain information about some key features of the processing. 
These include the purposes of the processing, their sources, and the existence 
of — and the logic involved in — automated decision-making.” 


I am of the view that IoT companies cannot invoke their trade secrets to deny 
subject access requests. The only derogation that the joint operation regards the 
right to obtain a copy of the data. Accordingly, IoT companies can only leverage 
trade secrets to exclude from the free-of-charge copy data that cannot be isolated 
from the confidential information. Conversely, I would argue that these compa- 
nies, and more generally companies that use trade secrets for digital dispossession 
purposes, must: 


(1) Release a copy of the data that can be isolated from the confidential 
information; 
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(ii) Confirm that personal data — including data that cannot be isolated from 
confidential information — is being processed; 

(iii) Grant access to key information, including the purposes of the processing, e.g. the 
inclusion in information covered by trade secrets; and finally, more importantly, 

(iv) Grant access to all the data, including the data covered by trade secrets, 
although in a ‘view only’ mode. 


For example, if the data appropriated by an IoT company can play a role in the 
data subject’s defence in legal proceedings — and such data cannot be isolated 
from the rest of the information covered by the trade secret — the company may 
decide not to release a copy of the data, but at least it should allow the parties’ 
representatives and the court to view the relevant data. 

Third, there is one other data subject right whose exercise should not affect 
the rights and freedoms of others under the GDPR.?® The only other data pro- 
tection right on which trade secrets can, under certain circumstances, prevail is 
the right to portability under Article 20 GDPR. This is the right to receive one’s 
personal data in a structured, commonly used, and machine-readable format and 
to transmit it to another controller.” Article 20 does not refer to trade secrets, 
but it seems reasonable to interpret its reference to ‘the rights and freedoms of 
others’”® as inclusive of them. The right to data portability ‘is the cornerstone 
of the right to control.’*”° In principle, Echo users who would like to switch to 
Google Home have an interest in transmitting the data that Echo has been col- 
lecting about them to Google. Thanks to this data, the new virtual assistant would 
learn more quickly about the user’s preferences and habits and would provide a 
more personalised service.*”! Data portability is also pivotal to the right to repair. 
It is a common practice in the IoT to prevent users from using third-party services 
to repair or update the Thing.?” The right to data portability — especially used in 
combination to the rights of service portability and nonpersonal data portabil- 
ity seen in Chapter 1 — is particularly useful to tackle such lock-in practices.*” 
Under Amazon’s Privacy Notice, users can ‘ask for data portability . . . subject 
to applicable law.’?”4 The reference to the applicable law surely includes Article 
20(4) of the GDPR, whereby the right to data portability “shall not adversely 
affect the rights and freedoms of others.’ Accordingly, users should not be advised 
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to rely on the right to data portability to counter IoT companies’ digital dispos- 
session practices. Indeed, unlike the right of access, the right to data portability 
would appear to be excluded as such if its exercise adversely affects trade secrets. 
Nonetheless, the result of trade secrets considerations ‘should not be the refusal to 
provide all information.’?’> Therefore, IoT companies should endeavour to isolate 
the requesting data subject’s personal data and facilitate its portability. 

The rights to obtain a free-of-charge copy and to portability are the only data 
subject’s rights that can be, to some extent, compressed if they adversely affect 
the rights and freedoms of others, including trade secrets. Therefore, relying on 
an argumentum a contrario, I would opine that IoT companies cannot invoke 
their trade secrets to neutralise other data subject rights and their obligations as 
controllers. With the exception of the rights to obtain a copy and to portability, 
trade secrets will not be a valid legal basis for any exceptions or limitations. This 
means that trade secrets will not limit the rights to be informed, to rectification, 
to erasure, to restrict processing, to object, and not to be subject to automated 
decision-making. Two of these rights are best placed to empower citizens who 
are victims of IoT-powered digital dispossession: the right to be informed and the 
right not to be subject to automated decisions. 


5.6.2 The Rights to be Informed and Not to Be Subject to Automated 
Decisions in the Arsenal of the Digitally Dispossessed 


The right to be informed?” is an expression of the first data protection principle, 
namely, lawfulness, fairness, and transparency.””’ Transparency operates as the chief 
counterweight to secrecy in that it creates an obligation to be clear, open, and honest 
with users about how and why their personal data is processed.?’* As we have seen 
in the analysis of the Unfair Terms Directive,’” transparency is intrinsically linked 
to fairness. In the field of data protection, it applies to three central areas: 


(1) The provision of the information about which data is processed and how it is 
processed; 
(ii) The provision of information about data subject rights; 
(iii) The way data controllers facilitate the exercise of data subjects’ rights.**° 


For the purposes of this chapter, it is sufficient to focus on i, as it is the most likely 
to apply to a scenario where an IoT company attempts to appropriate its users’ 
personal data by trade secrecy means. 
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IoT companies that process personal data must inform users in a concise, trans- 
parent, intelligible, and easily accessible way.”*! The information — to be pro- 
vided at the time when personal data is obtained?*? or within a month?® — include 
the purposes of the processing, the entities with whom the data is shared, the 
existence of the right to access the data, as well as the existence and the logic 
involved in automated decision-making.”*+ Since Things have unconventional, 
limited, or no interfaces, it is crucial that loT companies follow a Data Protection 
by Design?’ approach, whereby the GDPR principles are embedded in the design 
on the Thing from the outset (e.g. holograms to provide privacy notices).7°° The 
study of Amazon Echo’s contractual quagmire showed that the GDPR-mandated 
information is only partly provided — and certainly not in an accessible way. Ama- 
zon e.g. declares that they process personal data to ‘operate, provide, and improve 
the Amazon services’**’ and enclose a list of purposes that are supposed to exem- 
plify this triad. However, they include also advertising that, strictly speaking, is 
not necessary to operate, provide, or improve the services. Advertising is one of 
the purposes that are behind Amazon’s digital dispossession practices through 
affective computing technologies. 

Informing users in a transparent way means that they should be able to ‘deter- 
mine in advance what the scope and consequences of the processing entails and 
that they should not be taken by surprise at a later point about the ways in which 
their personal data has been used.’?** Therefore, the IoT company should be clear 
about the consequences that appropriating personal data can have on the user. 
Digitally dispossessed data can be used for targeted advertising at best, for manip- 
ulation and discrimination at worst. 

There are limited exceptions to the obligation to inform, and they apply 
only when personal data is obtained from sources other than the user (e.g. data 
brokers).”®° When this is the case, data controllers do not have to inform users if 
the latter already has the information, providing it would be impossible, require a 
disproportionate effort, or render impossible the achievement of the objectives of 
the processing; the processing is required by law; or an obligation of professional 
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secrecy covers the data.?” Inclusio unius, exclusio alterius: the reference to profes- 
sional secrecy means that trade secrecy, as such, does not constitute an exception 
to the right to be informed and that, as a rule, loT companies that hold trade secret 
must fully comply with the obligations to inform. Conversely, said companies 
may try to argue that informing the user would make impossible the achievement 
of the objectives of the processing. This does not provide a blanket exemption 
to IoT companies holding trade secrets. They have to prove that the provision of 
information ‘would nullify the objectives of the processing.’*?! Whereas one could 
argue that the disclosure of the trade secret as such might nullify said objectives, 
informing that the data is being appropriated e.g. to create profiles with the data 
inferred from the observation of the user’s behaviour would not. At any rate, IoT 
companies relying on this exception would still need to satisfy all the data protec- 
tion principles, including fairness and lawfulness.*”” 

In most cases, IoT companies will not be able to adduce trade secrets as an 
exception to the right to be informed. Accordingly, they will have to thoroughly 
inform users about their digital dispossession practices. The principle of transpar- 
ency, which underpins the obligations to inform, may offset trade secrecy. Being 
informed of digital dispossession is the prerequisite for the users to act and attempt 
to stop it or minimise its risks. Users can rely on another right to actively defend 
themselves from IoT companies who weaponise their appropriated personal data, 
e.g. by using their algorithms to take automated decisions that can have profound 
consequences, e.g. automated screening of job applications.”*? The main tool that 
the GDPR makes available in this sort of scenarios is the right not to be subject to 
an automated decision.?”* 

Under Article 22 of the GDPR, the right not to be subject to an automated deci- 
sion instantiates a general prohibition for data controllers to subject individuals to 
a (i) decision that is (ii) based solely on automated processing and (iii) produces 
legal effects concerning the individual or, similarly, significantly affect them.” 
Amazon e.g. should not be allowed to automatically exclude from its IoT plat- 
forms some users based on their ethnicity. Such automated systems should never 
be put in place if their decision can profoundly affect data subjects. 

The restriction on solely automated decision-making can be lifted on three 
grounds: contractual necessity, statutory authorisation, and explicit consent.?° 
The restriction cannot be lifted if the controller processes special categories of 
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data (e.g. health data), unless special circumstances apply, e.g. the processing is 
necessary for substantial public interest reasons.” 

Contractual necessity, statutory authorisation, and explicit consent do not oper- 
ate as a carte blanche; an IoT company wishing to rely on them would have to 
implement suitable safeguards for the data subject’s rights, freedoms, and legiti- 
mate interests. They include, at least, the right to obtain human intervention on the 
part of the controller, to express their point of view, and to contest the decision.?8 
It is debated whether one of the safeguards is the right to obtain an explanation 
of the decision. On the one hand, it can be argued that since such right is only 
referred to in a nonbinding recital and not in Article 22 itself, there would be no 
right to an explanation.*” On the other hand, based on a more systematic inter- 
pretation that takes into account the principle of transparency and the obligations 
to inform, it can be argued that a right to an explanation exists.* And indeed, the 
fact that the right to an explanation is referred to in a nonbinding recital should not 
be overstated. The pivotal role of recitals in interpreting the provisions of an EU 
act has been expressly recognised by the Commission.*”! Therefore, the reference 
to the right of explanation in the recital shall be used to properly construe Article 
22 to reflect the context of the provision and the overall purpose of the GDPR, 
that is, increasing the protection of the data subjects’ rights. Even though applying 
the literal rule of Article 22 would not entail a right to explanation, a purposive 
approach and a correct valorisation of the role of recitals make it clear that data 
subjects are entitled to such a right. In any event, should one be of the view that 
the right to an explanation does not exist, the right to inform expressly includes 
the obligation to inform about the existence of automated decision-making and to 
provide meaningful information about the ‘logic involved, as well as the signifi- 
cance and the envisaged consequences of such processing for the data subject.’3° 
This means that IoT companies that hold trade secrets should not use algorithmic 
or otherwise-automated systems to take decisions that can negatively affect the 
user. If they do so, e.g. because the user gave them explicit consent, they still need 
to put in place some safeguards that at least include an obligation to explain the 
logic involved in the algorithmic decision and the right to a human being review- 
ing the decision. Whereas under certain conditions IoT companies may trigger 
their trade secrets to limit the rights to obtain a copy of the data and to portability, 
they will not be able to oppose their trade secrets as a valid reason not to provide 
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meaningful information about their algorithmic decisions and to deny the right 
to human review. Thus, there is a major difference to the US approach in State 
v Loomis,*°? when Mr Loomis had been considered dangerous by an algorithmic 
system and had not been able to contest the decision because the system was 
proprietary. In the EU, higher data protection standards*™ and the right to a fair 
trial?°° would not allow such an outcome. 

This should be caveated with the observation that the GDPR does allow mem- 
ber states to introduce restrictions to all data protection rights — not just to the 
rights of access and of portability — ‘when such a restriction respects the essence 
of the fundamental rights and freedoms and is a necessary and proportionate mea- 
sure in a democratic society to safeguard . . . the protection of the data subject or 
the rights and freedoms of others.’3% This option could be used to allow wider 
limitations to data subjects’ rights based on trade secrecy. As far as I know, France 
is the only member state that took advantage of this option. Indeed, the Loi infor- 
matique et libertés — France’s data protection statute — provides that when an auto- 
mated decision is justified by contractual necessity or explicit consent, the data 
controller, alongside ensuring human intervention, the right to express one’s point 
of view, and the right to contest the decision, must communicate the rules that 
define the processing and the main characteristics of its implementation ‘with the 
exception of the secrets protected by the law. 307 It is fair to infer that these secrets 
protected by the law encompass trade secrets. This does not mean, however, that 
users who are based in France cannot rely on Article 22 of the GDPR to counter 
IoT digital dispossession. It merely means that in informing about the automated 
system, the controller does not have to disclose trade secrets. Nonetheless, all IoT 
companies, including those who are based in France, will have to: 


(1) Abide by the general ban on solely automated decisions, unless they have 
secured user consent or demonstrated contractual necessity or statutory 
authorisation; 

(11) Respect the other GDPR rights, including the right to be informed about the 
logic involved in the automated decision; and 

(iii) Endeavour to isolate users’ personal data from the rest of the information that 
is covered by trade secrets and inform users accordingly. 
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5.7 Interim Conclusion: Data Protection Law and the ‘Smart’ 
Proletariat 


Overall, the GDPR does provide adequate tools to counter IoT-powered digital 
dispossession. Prima facie, this might be interpreted as meaning that the GDPR 
is an anticapitalistic instrument. This is not the case. The theory of surveillance 
capitalism underlines how the violence of dispossession is not limited to those 
histories that precede capitalism: digital dispossession is a continuous process, 
and its violence is disguised in multifarious ways. Capitalists need to sell the 
commodities produced by the workers in order to recover the original outlays 
and the surplus value extracted from the labour force.*° By leveraging IoT data, 
including inferential data, surveillance capitalists can exploit users’ vulnerabili- 
ties to do precisely this — what the previous chapter called ‘the Internet of Per- 
sonalised Things.’ However, the convergence between IoT and capitalism also 
takes another, more subtle form. With her characteristic lucidity, Rosa Luxemburg 
defined the essence of capitalism as a system that uses the fruits of exploitation ‘to 
increase exploitation itself’:°° this is seen as the way to achieve not only profit 
but also constantly growing profit. For exploitation to take place, capitalists need 
a sufficient quantity of labour power. To ensure this, they have to make sure that 
workers can maintain themselves (typically through wages) ‘so that they will be 
available for future exploitations.’?!° Data subjects are data producers and hence 
unwitting workers of the data economy.*!! The GDPR gives this new ‘smart’ pro- 
letariat some rights that can be relied on to reacquire some control over the data. 
In doing so, the GDPR allows us data subjects / unwitting workers to maintain 
ourselves, thus being available for future exploitations. This is in line with the 
more general observation that the ‘[l]Jaw for the information economy is emerg- 
ing ... via the ordinary, uncoordinated but self-interested efforts of information 
economy participants and the lawyers and lobbyists they employ.’*!? In this sense, 
both the GDPR and the IoT can be framed as neoliberal weapons that enable the 
perpetuation of surveillance capitalism. 
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6 The Internet of Things (You Don’t 
Own) under Bourgeois Law 


An Integrated Tactic to Rebalance 
Intellectual Property 


Science, generally speaking, costs the capitalist nothing, a fact that by no means 
prevents him from exploiting it. 
Marx, Das Kapital (1) 


6.1 Introduction: Intellectual Property and Rentier Capitalism 


It is a commonly held view that intellectual property (IP) is a policy bargain 
whereby exclusive rights and monopolies are granted as a reward to intellectual 
labour and investments in order to incentivise innovation and creativity.! The idea 
that IP rights (IPRs) would be a necessary incentive has been largely debunked.” 
Law and economics studies demonstrated that IP is just another product of capi- 
talism aimed at creating new enclosures of the ‘commons.”? This notwithstanding, 
a number of national and international laws have kept expanding its scope and 
augmenting the relevant level of protection. Most IP-stemming monopolies are 
temporary‘ on paper but end up producing revenues that are regarded as rents on 
a virtually permanent basis. The elevation of IP to perpetual rent is rendered pos- 
sible by complex strategies that rely on cumulation of IPRs, factual control over 
data and service, contracts, and technical protection measures. Favoured by a legal 
environment that is ‘heavily tilted in favour of IP rent-seekers,’> IP has become 
the key ideological device of rentier capitalism. Traditionally, the phenomenon 
of rentiers refers to the fact that landowners would exploit their monopoly power 
over the land to impose a rent that was a monopoly price. As noted by Marx in The 
Poverty of Philosophy, ‘[r]ent, in the Ricardian sense, is patriarchal agriculture 
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transformed into commercial industry, industrial capital applied to land, the town 
bourgeoisie transplanted into the country.’® Marx and Ricardo could not foresee 
that new forms of rent-seeking would become an essential component of capi- 
talism: rent-seeking through IPRs.’ The IoT is pivotal to rentier capitalism as it 
generates ‘new sources of rent, new infrastructures of rentier relations, and new 
mechanisms of extraction and enclosure.’® While the IoT is not rentier in nature, 
the historically existing IoT is indeed rentier also thanks to IP abuses. According 
to Jathan Sadowski, data extraction, capital convergence, and digital enclosure 
are the main mechanisms of rentier capitalism.’ IP is key to digital enclosure, as 
instantiated by the use of software licenses to control access and collecting rents 
over the physical world, regardless of the ownership of the underlying tangible 
assets. 1° 

The IoT ushers in an era of ubiquitous computing and ubiquitous IPRs. IP 
is everywhere and lends itself to monopolise virtually anything.!! One may be 
naively inclined to think that one’s own phone is one’s own property. That is not 
the case. One’s phone belongs to the holders of the copyright on the code running 
on it, the manufacturers owning its design, and the patents on how it works, as well 
as trademarks not only on logos but also on things such as the way one ‘swipes.’ !? 
What happens when being embedded with software and other IP-protected digital 
contents is no longer an exclusive feature of computers and phones? What happens 
when proprietary Things and closed systems are everywhere: in one’s bedroom, in 
one’s bathroom, in one’s body? Our behaviour becomes heavily restricted by the 
factual, legal, and technical control that IoT companies retain over their Things — 
and that we correspondingly lose. We have become digital tenants, not owning or 
controlling any of the objects around us and data about us.!3 To the point that, one 
can argue, we no longer own: we are owned.'4 

This chapter will present the main IP issues in the IoT and concentrate on 
one of them that has been framed as ‘death of ownership’ by Joshua Fairfield in 
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Owned,'> a germinal book that will provide an initial framework to understand 
this issue. Ownership (of Things) is dying either because of the shift from sale 
to subscription or because users only formally own their Things but they cannot 
exercise any of the powers traditionally associated to property as IoT companies 
control every layer of the Thing. This ‘tethered economy’!® has been seen as an 
attack on the concept of property reminiscent of feudal times, when ‘serfs of feu- 
dal Europe . . . lacked rights in the land they worked.’!’ Similarly, users of Things 
would not own them but simply manage them on behalf of the IoT overlords — in 
this sense, they would be digital serfs. In reality, as will be argued in this chapter, 
the death of ownership — and IP abuses in the IoT more generally — has its roots 
in the individualistic outlook of ‘bourgeois’ law under capitalism, rather than 
resembling the medieval legal system. 

Alongside desk-based research of EU laws, UK laws will be taken into account 
when national implementations can shed light on whether it is possible to rely on 
IP’s internal and external limitations to protect the IoT user affected by the death 
of ownership. This will be complemented by qualitative research, namely, text 
analysis of some ‘legals’ that are deemed representative of loT-typical contractual 
practices. 

With this in mind, this chapter will answer the following subquestion: can IP 
and antitrust counter the death of ownership? 


6.2 An Overview of the IP Issues and Themes in the IoT 


A review of the relevant literature and case law identifies the following themes 
and issues at the intersection of IP and IoT: 


(i) Death of ownership and digital serfdom; 
(ii) Antitrust control over standard essential patent (SEP) licensing to achieve a 
standardised and interoperable IoT; 
(iii) The ‘Internet of Secrets’; 
(iv) Patentability of IoT inventions; 
(v) The ‘Internet of Digital Locks’; 
(vi) Data ownership; 
(vii) Smartness and distinctiveness; 
(viii) Overcoming Western-centrism; and 
(ix) Commons for an open IoT. 


Points i and ii will be the main focus of this chapter and therefore will be expanded 
upon in the next sections; point iii refers to the legal, technical, and organisational 
secrecy that we have analysed in the previous chapter. 
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George Washington Law Review 783. 

17 Fairfield (n 14). 


278 The Internet of Things (You Don t Own) 


Patentability of IoT inventions. The IoT challenges the identification of the sub- 
ject pattern that is excluded from patentability (hereinafter also ‘excluded subject 
matter’).'® The European Patent Convention excludes software as such from pat- 
entability.!° As shown in the travaux préparatoires to the Convention, the rationale 
of the exclusion is that “patent protection is reserved for creations in the technical 
field’”° and that software is already protected by copyright. The exclusion of soft- 
ware only ‘as such’ means that the latter is patentable if it has a technical charac- 
ter, that is, if it produces a further technical effect when run on a computer or other 
Thing.?! HTC v Apple” provides some useful signposts to understand what this 
technical effect is: (a) whether the claimed technical effect has a technical effect 
on a process which is carried on outside the computer; (b) whether it operates at 
the level of the architecture of the computer; (c) whether it results in the computer 
operating in a new way; (d) whether it makes the computer run more efficiently 
or effectively; or (e) whether the perceived problem is overcome by the inven- 
tion rather than merely circumvented. A common way to circumvent the software 
exclusion is to frame the invention as a computer-implemented invention. This is 
seen as distinct from a computer program because it refers to ‘computers, com- 
puter networks or other programmable apparatus wherein at least one feature is 
realised by means of a computer program.’*? Unlike software inventions, they 
cannot be objected ‘as any method involving the use of technical means (e.g. a 
computer) and any technical means itself (e.g. a computer or a computer-readable 
storage medium) have technical character.’*4 By issuing guidance on computer- 
implemented inventions and examples of ‘further technical effect,’ the European 
Patent Office has made it easier to apply for software patents, including IoT 
patents.” Moreover, a competent draftsperson ‘can usually present a claim as a 
computer-implemented method . . . rather than as a “computer program.’””° Even 
before the IoT, the exclusion of software ‘as such’ from patentability had done 
little to slow down the monopolisation of software innovation. The situation risks 
worsening with the IoT. Indeed, the European Patent Convention’s exclusion is 
based on the hardware-software dichotomy, but as argued in this book, the IoT 
disrupted this dichotomy. The same applies to the North-American exclusion of 
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abstract ideas,” whose historical rationale is that patents were intended to cover 
devices and things.”* Although the inclusion of a Thing in a software claim does 
not necessarily make it admissible, and even though software claims may still fail 
for lack of inventive step,” there is the undeniable risk that the overcoming of the 
hardware-software dichotomy will lead to the factual overcoming of the software 
exclusion.*? When all software becomes embedded in a Thing — in other words, 
when no software is purely software, software ‘as such’ — we must be alert and 
prevent IoT companies from monopolising software innovation at the expenses of 
smaller businesses, consumers, and society at large. An ambitious solution could 
be a software treaty that would provide for a limited scope and length of soft- 
ware protection, ‘allowing only the means of implementation but not the func- 
tion to be patented; and granting 10 years of utility-model-type or sui generis 
protection.’>! Or even, perhaps more radically, to exclude all software inventions 
from patentability — removing the ‘as such’ proviso — and to rely exclusively on 
the copyright protection of software.** Indeed, although the duration of copyright 
is excessive for a rapid market such as the software one, I would argue that pure 
copyright protection would instantiate a more balanced approach to the legal pro- 
tection of software as, unlike patents, copyright is not a monopoly right which 
allows for independent creations and thus encourages follow-on innovation. 

The Internet of Digital Locks. Technological protection measures and digital rights 
management (DRM), exemplified by the digital locks that prevent gamers from run- 
ning counterfeit games on their consoles, are problematic for at least three reasons. 
First, they leave it to the IP owner to decide whether a use is permitted by one of the 
exceptions, with no or limited possibility for the user to argue otherwise. This goes 
hand in hand with the de facto privatization of internet governance — and ultimately of 
justice — that is a recent trend in digital regulation.*4 For example, under the Copyright 
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in the Digital Single Market Directive,” online content-sharing providers have to pre- 
vent the sharing of infringing material (so-called upload filter). In doing so, they have 
to ‘put in place an effective and expeditious complaint and redress mechanism.’*° 
Thus, not only it is up to the IoT company to deploy technological locks and filters 
to pre-empt ex ante potentially infringing behaviour, but they are also judges in the 
disputes arising therefrom. This is likely to lead to a further compression of the user 
freedoms enshrined in IP exceptions and limitations. This can be inferred by the fact 
that this directive openly provided that ‘Member States shall ensure that users have 
access to a court or another relevant judicial authority to assert the use of an excep- 
tion or limitation to copyright and related rights.’*’ Traditional judicial process is bet- 
ter positioned to account for the conflicting interests at play and understand whether 
the digital lock regarded as infringing activities that would fall within the scope of 
IP exceptions and limitations. However, in a fast-paced, opaque, and asymmetrical 
environment such as the IoT, it is unlikely that end users will resort to legal action 
to open the digital locks. This is regrettable as IP exceptions and limitations are piv- 
otal to achieving a fair balance between the rightsholders’ and the users’ interest. As 
the US Supreme Court put it, copyright ‘protection has never accorded the copyright 
owner complete control over all possible uses of (the) work.’** Conversely, DRM may 
accord complete control. Second, digital locks delegate to automated or partly auto- 
mated systems complex assessments that do not lend themselves to being translated 
into code — e.g. how is one to translate the concepts of ‘fairness’ and ‘substantiality’?*? 
Third, the circumvention of DRM measures is unlawful even when there is no proof of 
underlying copyright infringement.“ In this sense, DRM gives rise to forms of over- 
protective ‘paracopyright”*! and runs counter to fundamental use freedoms, including 
freedom of expression. With the IoT, copyright works such as software and databases 
become embedded in virtually any object that surrounds us; with multimedia products 
becoming commonplace and with every layer of a Thing being locked, ‘the effect of 
DRM systems in economic and social processes may be pervasive. 4? There is little, if 
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any,” recourse against IoT companies that implement DRM systems to prevent ‘users 
and the government from ever finding out what data is collected and how it is used 
by device manufacturers.’ As the Internet of Digital Locks rises, the postsale control 
over our Things throughout their life cycle is a threat not only to our property but also 
to our autonomy. 

Data ownership. Trade secrets do not, strictly speaking, instantiate a property 
right: they implement a tort law approach that outlaws certain specific uses of the 
confidential information.* Therefore, they have been seen as suitable to protect 
firms in the data economy whilst balancing the potentially conflicting interests 
in data protection and in the free flow of information.** Their widespread use to 
protect IoT data, coupled with factual control over data, supported by DRM-like 
measures, corroborates the thesis that the case for a new property right on the 
data as such has not been convincingly made.“ Such a proposal — dubbed ‘data 
producer’s right’ — is contained in the European Commission’s Free Flow of 
Data initiative.4* On the debatable assumption that the Database Directive’s sui 
generis right? would not be fit for machine-generated data and that new incen- 
tives are needed for the data economy to thrive,°° the Commission proposed a 
data ownership right, that is, a ‘right to use and authorise the use of nonpersonal 
data’! granted to the data producer, that is, ‘the owner or long-term user (i.e. 
the lessee) of the device.’** Thus, users would ‘utilise their data and thereby 
contribute to unlocking machine-generated data.’°> However, law and economics 
studies have abundantly proved that big data is generated despite the absence of 
proprietary incentives.*4 Moreover, the unfitness of the sui generis right for IoT 
data can be called into question.*° More on this will be said later in the chapter, 
when dealing with the exceptions to the sui generis right. For the purposes of this 
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section, suffice it to say that this right provides some protection to IoT data. With 
this in mind — and considering the protection already afforded by trade secrets, 
factual control, and DRM -— one can hardly say that the production of data needs 
further incentives. This said, we are still far from reaching a consensus on critical 
questions, such as whether and how IoT data can be (and should be) the subject 
of property, how trade secrets and sui generis right interact in governing IoT 
data, and whether ownership should rest with the owner of the Thing, its user, 
its manufacturer, or the manufacturer of the relevant sensor.*° It seems, however, 
that scholars and policymakers are shifting their focus from issues of ownership 
to questions of access — which in the IoT are closely connected to interoperabil- 
ity. Pragmatically, it would appear more useful to take account of the fact that 
IoT companies already treat data like property, regardless of their formal qualifi- 
cation. Accordingly, we should endeavour and find ways to govern access to IoT 
data flows in a transparent, fair, and balanced way.>’ 

Smartness and distinctiveness. The only EU ruling that expressly deals with the 
IoT is the trademark case Bosch v EUIPO.** In recent years, Bosch has been mak- 
ing investments to become an IoT leader. This effort resulted in Bosch IoT Suite, 
an open-source-based platform for IoT solutions with over ten million sensors, 
devices, and machines connected to it.°? Bosch launched its ‘Simply. Connected.’ 
series of ‘smart’ tools that can be controlled via a mobile app — and attempted to 
register the relevant logo as an EU trademark (Figure 6.1) 

For the purposes of this book, it is sufficient to focus on two aspects of the 
case. The application regarded a wide range of goods and services, from sen- 
sors through sanitary devices to products that were either directly connected 
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Simply. 


Connected. 


Figure 6.1 Figurative mark at issue in Bosch v EUIPO. 
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to a network or embedded into connected objects. EUIPO’s Board of Appeal 
rejected the application as the sign was deemed devoid of any distinctive char- 
acter. Indeed, the words ‘simply connected’ were seen as a mere slogan mean- 
ing ‘just connected,’ and the figurative elements were considered customary 
and nondistinctive. The Board, in particular, referred to the concept of IoT, 
which they defined as ‘the interconnection of physical objects in a network 
comparable to the Internet, so as to allow them to be controlled at a distance 
or to make them capable of communicating and exchanging information.’®! In 
light of this, ‘simply connected’ meant ‘just connected to a network’ or ‘above 
all connected to a network’; as such, it was to be regarded as ‘desirable char- 
acteristic’ and a ‘laudatory indication’® for Things, as such nondistinctive. 
Therefore, IoT companies attempting to register connectivity-related signs 
should be aware that their signs may be regarded as descriptive and devoid of 
distinctiveness. 

A second aspect that is of relevance from this book’s perspective has to do 
with the examiners’ discretion when it comes to considering signs that are 
applied to a diverse range of IoT products. Bosch attempted to demonstrate 
that, even if the relevant public would understand ‘Simply.Connected.’ as just 
connected to a network, this would be meaningless in relation to the majority 
of the products to which the sign referred. In particular, whereas consumers 
know that laptops, mobile phones, tablets, and earphones can be connected to 
the internet — and therefore the sign may be descriptive with regard to these 
products — they would not be aware that other, everyday objects or their com- 
ponents (e.g. antennas for radios and television receivers, batteries, etc.) can be 
connected to a network.® Moreover, the defence went on arguing that a num- 
ber of services (e.g. training and instruction services) were not limited to con- 
nectivity. In principle, when assessing distinctiveness, examiners should look 
at each good and service separately. Conversely, the Board of Appeal assessed 
jointly products that were prima facie diverse — this was at the core of Bosch’s 
appeal. However, the CJEU confirmed that examiners do have the power to use 
the same general reasoning for a group of products if ‘goods and services .. . 
are interlinked in a sufficiently direct and specific way, to the point where they 
form a sufficiently homogenous category.’® The concept of IoT provided this 
homogenizing factor. Indeed, the court stated that: 


In view of the development of the Internet of Things, the Board of Appeal 
was correct to state that the relevant public would see the signs at issue as 


60 Bosch (n 59) [4], [81]. 
61 ibid [43]. 

62 ibid. 

63 ibid [45]. 

64 ibid [71], [72]. 

65 ibid [50]. Italics added. 


284 The Internet of Things (You Don t Own) 


indicating the ability of the goods at issue to be connected and would per- 
ceive the services at issue as relating to such connections.°° 


Therefore, the existence and pervasiveness of the IoT makes the examiners’ work 
easier as they can assess jointly all the ‘smart’ goods and services, and it renders 
connectivity-related signs nondistinctive well beyond the realm of traditionally 
connected objects to encompass all Things. 

Overcoming Western-centrism. Reflecting a road-to-Damascus moment in legal 
scholarship, it has occurred to some authors that Western-centric IP studies do not 
reflect the socio-economic, cultural, and legal importance of Eastern and Southern 
countries (the ‘global South’).°’ This is particularly the case with China. Once an 
imitator, China has for some time taken on the role of innovator. The country has 
an established manufacturing industry, and many IoT start-ups rely on it. Much of the 
value of these start-ups is in their IP; nonetheless, they do not properly assess the IP 
risks and opportunities of having their Things manufactured in China. Some scholars 
have been studying ways in which IP law can be leveraged to strengthen the posi- 
tion of foreign IoT start-ups in China.® The Chinese information economy is now as 
important as its manufacturing: this is evidenced by its being a top IP holder and by 
the gradual strengthening of its IP laws.” This can be seen in the latest statistics of the 
European Patent Office, where China is the fastest-growing patent applicant in the 
world (+9.9%).”! In light of the growth of China-based IoT and of the modernisation 
of its laws on innovation, IP scholars and practitioners should avoid their Western- 
centric habits. China is no longer a mere rule-taker in global lawmaking,”” including 
in the field of internet regulation and IT law. The awareness of China’s rulemaking 
power should permeate contemporary legal scholarship. In turn, consumers should 
be aware that at least some components of their Things are provided by China-based 
companies, which can leverage their national IP laws to control the Thing’s software, 
hardware, service, and data, thus affecting the Thing as a whole. 

Commons for an open IoT. While IP excesses tend to create a closed and 
noninteroperable IoT, there are many attempts to open the IoT to make it more 
socially just and user-centric. Some of these attempts revolve around the concept 
of ‘commons.’ Information is a common and a public good because it is difficult 
‘to exclude people from knowledge once someone had made a discovery. One per- 
son’s use of knowledge . . . does not subtract from another person’s capacity to use 
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it. Information is a nonrivalrous and nonexclusionary good. The status of data 
as a commons extra commercium has been recently convincingly argued.” New 
technologies, including the IoT, make the commons more vulnerable due to their 
‘ability to capture the previously uncapturable.’” In the field of software, the com- 
mons increasingly take the form of free and open-source licenses.” Some studies 
focused on the importance of free and open-source software (FOSS) and hardware 
to ensure a fully-functioning, inclusive, and interoperable IoT.” IoT software is 
increasingly developed under open-source innovation models and combined with 
proprietary ones, giving rise to hybrid business models. IoT commons are instan- 
tiated amongst other things by open patent strategies, such as patent pools and 
patent pledges.” Around the knowledge commons, including open software and 
hardware, forms of antiproprietary collective resistance can develop.” In the next 
chapter, I will expand on how the commons can provide a solution to many of 
the problems of the IoT in two senses: on the one hand, as a practice of collective 
resistance to new extractive practices; on the other hand, as the foundation for free 
and open-source software, hardware, standards, data, and platforms. 

Current IP scholarship tends to focus on the practical question of how to govern 
the IoT as in how to protect its components and the related inventions. However, I 
felt it was more urgent to explore whether IP laws can be leveraged to re-empower 
IoT users who, increasingly affected by the death of ownership, struggle to cope 
with their diminished status as digital tenants. This chapter aims to fill this gap. 


6.3 Death of Ownership: To Strengthen Property Rights and 
Empower IoT Users-Digital Peasants or to Counter 
Bourgeois Property? 


By selling consumers hardware while retaining ownership of software, service, 
digital content, and data, IoT companies ‘are treating users like digital tenants. ’8° 
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These companies are the new prophets of ‘rentier capitalism’ as they are monopo- 
lising access to property (including IP) to extract value from users often without 
providing any actual service, let alone innovating or contributing to society.*! 
Being demoted to tenants of one’s own Things has practical consequences. E.g. 
in the UK there is an implied term that the purchaser of a good, as opposed to its 
tenant, will enjoy its quiet possession.*” This means that a trader who transfers 
ownership over a good promises the owner that the possession and use will be 
uninterrupted.*? Owners can avail themselves of this implied term when the trader 
transfers IPRs on the Thing to third parties** as well as to counter the deletion of 
software that makes the Thing inoperable.** Conversely, digital tenants cannot 
invoke such legal protections. 

The concept of ‘death of ownership’ originated in the ‘new servitudes’®® that 
Molly Shaffer Van Houweling described in her study on the usage restrictions 
that courts recognise on software-embedded goods. The ‘death of ownership’ 
transforms end users into digital tenants in a twofold way. First, IoT traders 
may retain ownership of the Thing as such. This trend sees the shift from the 
contract of sale to a mere subscription: in the tethered economy,” we have a 
right to access the ‘device-as-a-service’®* as opposed to outright owning it. Cost 
saving is not the only justification for this phenomenon. IoT users may lease the 
Thing under the condition that, at the end of the life cycle, the Thing be returned 
to them for them to dispose of it responsibly. Perhaps surprisingly, the ‘green’ 
imperatives of the circular economy could contribute to the death of owner- 
ship.® Second — and this is the focus of this section — the death of ownership 
can be caused by IoT companies retaining control over the Thing by factual, 
legal (IPRs and contracts), and technological means. IoT users remain owners, 
though only formally, as they cannot exercise the powers that are traditionally 
associated to property. These two forms of death of ownership are not mutually 
exclusive. For example, in June 2021 owners of smart treadmill Tread+, which 
retails for thousands of dollars, were notified that if they wanted to keep hav- 
ing access to the smart functionalities of the product, they had to pay a monthly 
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subscription fee.” Nonetheless, the focus of this chapter is on the second type 
of death in its pure form, while the issues of the subscription economy will be 
the subject of future research. 

IoT companies factually, technologically, and legally control the Thing — and 
ultimately its users — by controlling virtually each of its components and layers. 

Factual control regards mostly data and services: they do not lend themselves 
to being appropriated through IPRs but are de facto subject to the jurisdiction of 
the IoT overlord. The latter can factually prevent access to one’s own data and roll 
back services at its discretion. A telling illustration of factual control was provided 
in the previous chapter, where I showed that although in theory we have a right 
to access our data under the GDPR, Amazon does not grant meaningful access to 
the data subject’s profile, including the inferences that the company makes about 
one’s preferences, biases, and vulnerabilities. 

IoT companies also retain technological control over the Thing. This is exem- 
plified by the aforementioned issue of the ‘Internet of Digital Locks.’ A group 
of farmers was surprised to find out that they did not have a right to repair their 
own tractors, purchased from John Deere, a heavy equipment manufacturer. The 
service could only be provided by John Deere—approved technicians.?! John 
Deere argued to the Copyright Office that because the tractor was equipped with 
software and the copyright on the software was merely licensed to the farmer, 
it was within the manufacturer’s powers to prevent farmers from modifying or 
even repairing their own equipment.** Any independent repair would have quali- 
fied as an illegal DRM circumvention. This led to widespread criticism and some 
emphatic calls not to let IoT companies ‘eviscerate the notion of ownership.’ As 
such, the evisceration of ownership does not necessarily harm IoT users; the loss 
of control does. 

‘Legal control’ refers to a combination of contracts and IPRs. As seen in Chapter 
2, the user of as simple a Thing as a speaker would hardly expect to be confronted 
with a mountain of hundreds of terms of service, privacy policy, warranties, etc. 
These ‘legals’ are often used to affect those exclusive rights that are quintessential 
to the property right, at least in its traditional, i.e. tangible, form.” 
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The analysis of Echo’s contractual quagmire also shed light on how a number 
of IPRs protect Amazon’s speaker. Echo is protected by 84 patents and 427 trade- 
marks that monopolise virtually any aspect of the Thing.” On top of this, IoT 
companies can leverage a rich portfolio of unregistered and registered IPRs from 
trade secrets through copyright to database rights. A perspicuous illustration of the 
death of ownership caused by the incorporation of numerous IP works in all ‘our’ 
Things is provided by the recent Tom Kabinet case,*° which dealt with the legality 
of a virtual market for second-hand e-books. The resale of IP-protected products 
without the rightsholder’s permission is allowed by the principle of exhaustion. 
This principle applies to all IPRs,” and it provides that, once an IP-protected 
product has been lawfully put on the market within the European Economic Area 
by the rightsholder or with their consent, the rights conferred by that IPR in rela- 
tion to the commercial exploitation of the good become exhausted.** This means 
that, once exhaustion occurs, the rightsholder can no longer invoke the IPR in 
question to prevent the further resale (including parallel imports), rental, lending, 
or other forms of commercial exploitation of the product by third parties.” In the 
EU, exhaustion can be regarded as a limitation on IP imposed by the fundamental 
freedom of movement of goods.' The right to distribution — the right to issue 
copies of the work to the public, i.e. to put the work into circulation — is one of the 
copyright owner’s exclusive rights to which exhaustion applies.!°' Conversely, 
the right to communication to the public — that is, the right to make the works 
available to the public in such a way that the public may access them from a place 
and at a time individually chosen by them — is not subject to exhaustion. The key 
question in Tom Kabinet was whether the supply by downloading, for permanent 
use, of an e-book was covered by the concept of ‘communication to the public’ or 
by that of ‘distribution to the public.’ In the former event, the IP holder could pre- 
vent the resale of the e-book; in the latter, the resale would be lawful as exhaustion 
applied. As stated by the CJEU in UsedSoft,'™ the right to distribution of a com- 
puter program is subject to exhaustion regardless of whether it is incorporated in 
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a tangible medium. Accordingly, lawfully downloaded software may be resold.!% 
In Tom Kabinet, the CJEU considerably narrowed the scope of the UsedSoft doc- 
trine by arguing that: 


(i) The right to distribution of computer programs is indeed subject to exhaus- 
tion regardless of the existence of a tangible medium. However, the concept 
of ‘computer program’ does not include e-books, which can be regarded as 
digital copyright products governed by the Infosoc Directive as opposed to 
the Software Directive.'™ 

(ii) Unlike the Software Directive, the Infosoc Directive would rely on the tangible- 
intangible divide; therefore, tangible items distributed by tangible means 
are covered by the right to distribution and can be resold without the rights- 
holder’s permission under the principle of exhaustion. Conversely, intangible 
copyright products such as e-books are not distributed; they are communi- 
cated to the public, and since this right is not subject to exhaustion, the resale 
of used e-books requires the copyright holder’s permission. !°5 


This decision is open to a twofold criticism. First, the growth of IoT and con- 
verged devices has led to an erosion of the distinction between software and digi- 
tal products. Arguably, an e-book — similar to the digital content and the service 
embedded in a Thing (e.g. e-sport played on a ‘smart’ console) — falls within the 
commonly accepted definition of software, that is, a collection of instructions that 
can be executed by a computer to perform a specific task.'°° With Tom Kabinet, 
it is unclear when a set of instruction leaves the realm of computer programs and 
enters that of digital product. Second, perhaps more importantly, given the amal- 
gam of hardware, software, service, and data in the IoT, the Tom Kabinet doctrine 
risks leading to an ‘exhaustion of exhaustion.’ Things are sold intact with soft- 
ware preinstalled and not removable or changeable under the license agreement — 
software is not bundled separately anymore. To predicate that the exhaustion of 
IPRs depends on the tangible-intangible divide may reflect the wording of the 
Infosoc Directive and, in particular, of Recital 28, whereby ‘(c)opyright protec- 
tion under this Directive includes the exclusive right to control distribution of the 
work incorporated in a tangible article.” However, it is an outdated approach that 
is at odds with the smart reality we live in. Such binary doctrine may be exploited 
by IoT companies that own the IPRs on the intangible components of the Thing 
to prevent further resale or other commercial exploitation despite the exhaus- 
tion of the right to distribution, ultimately breaching the fundamental freedom of 
movement of goods in the EU. This is in line with other attacks on the principle 
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of exhaustion, as exemplified by Coty v Akzente.'°’ In this case, a luxury brand 


was allowed to impose restrictive distribution agreements excluding third-party 
e-commerce platforms. De lege ferenda, two recommendations can be made. First, 
the Software Directive should be amended to expressly define computer programs 
in line with commonly accepted computer science ontologies, while providing 
that every time software is involved, this directive will prevail on general copy- 
right rules. Second, in light of the right to communication to the public becoming 
ubiquitous (most recently in VG Bild!’ about ‘framing’), copyright law should 
be amended to provide that this right too — not just the right to distribution — be 
subject to exhaustion. Otherwise, as most Things include content that is commu- 
nicated to the public, there is the risk of reducing the principle of exhaustion to 
irrelevance, thus sterilising a limitation to IP that would otherwise be pivotal to 
ensuring the free movement of Things. 

The combination of these factual, technological, and legal controls that the IoT 
company retains over the Thing results in the death of ownership. In turn, this 
manifests itself in decreased user power over the Thing, whilst the loT company 
increases its power over the Thing, leading to its after-sale modification through- 
out its life cycle, and over usergenerated content. I will analyse each manifesta- 
tion in turn. 

Decreased User Power Over the Thing. Linking back to Echo’s scenario, its 
legals warn that ‘Service, Software and the Digital Content embody intellectual 
property that is protected by law.’!” Virtually any aspect of Amazon’s apps and 
Things is covered by patents, trademarks, copyright, trade secrets, and other 
IPRs.!!° Amazon’s control over Echo’s IP-embedding components prevents users 
from exercising their proprietary prerogatives. Under Alexa Terms of Use, e.g. 
users can utilise it only for personal and noncommercial purposes.!!! Under Ama- 
zon’s Conditions of Use and Sale, users can only share content via ‘their’ Thing 
to the limited extent that they ‘own or otherwise control all of the rights.’!!* This 
begs the question whether they can share contents by relying on IP exceptions or 
defences.'!? The question is of crucial importance because Amazon can suspend 
and terminate those accounts that they deem to carry out infringing activities. !!4 
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Amazon’s approach is clearly against allowing users to exercise their fundamental 
freedoms as conveyed by the copyright exceptions. This can be seen in the Addi- 
tional Amazon Software Terms that prohibit to ‘copy, modify, reverse engineer, 
decompile or disassemble, or otherwise tamper’!!5 with Echo’s software. This 
provision is likely to qualify as ‘null and void’!'® under the Software Directive as 
it is contrary to the study and decompilation exceptions.''” More on the potential 
of IP exceptions to tackle the death of ownership will be said in the next section. 

This cumulation of IPRs affects the degree of control that we have over the 
Thing as a whole and signals a shift from ownership to tenancy. Indicative of 
this shift are also those provisions whereby users do not own the digital content 
embedded in Echo: users have only a ‘non-exclusive right to view’!!! the content. 
Indeed, the latter is merely ‘licensed, not sold, to you.’!! Amazon exercises a form 
of techno-legal power that is epitomised by its use of Microsoft PlayReady,™ a 
copy prevention technology embedded in software and hardware that allows con- 
trol over the video content displayed on Amazon’s Things.'?° Users remain own- 
ers of the Thing, but their right does not even resemble that absolute power over 
goods that is at the core of the traditional concept of property. 

Increased Corporate Power Over the Thing. The death of ownership is not 
limited to the reduced power that users can exercise over ‘their’ Things. It is also 
connected to the IoT companies’ increased contractual power that leads to the 
possibility to modify the Thing unilaterally throughout its life cycle. Users must 
be aware that their Thing may vary over time and possibly become radically dif- 
ferent to what it was when they purchased it. This is evidenced by the fact that the 
services and the digital content provided through Echo may become unavailable 
over time and contain errors, without Amazon being liable for it.!2! This can be 
seen with even more clarity in that contractual provision that allows Amazon to 
cease providing Echo’s software and to terminate the user’s right to use the soft- 
ware at any time: ‘[y]our rights to use the Amazon Software will automatically 
terminate without notice from us if you fail to comply with any of these Software 
Terms, the Conditions of Use or any other Service Terms.’!”* The unavailability 
of the software makes the Thing as a whole unusable, including its hardware, 
service, digital content, and data components. 

Increased Corporate Power Over User-Generated Content. Alongside decreased 
user power over the Thing — and, correspondingly, increased corporate power 
over it — the death of ownership manifests itself through IoT companies claiming 
control over the content generated by users via the Things. Users typically retain 


115 Additional Amazon Software Terms, last updated on 29 January 2020, 3. 

116 Software Directive, art 8. 

117 Software Directive, arts 6 and 5(3). 

118 Kindle Store Terms of Use, last updated on 22 May 2018, 1. Similar provisions apply to the video 
content under Amazon Prime Video Terms of Use, 4h. 

119 Kindle Store Terms of Use, 1. 

120 Third Party Software, last updated on 26 July 2019. 

121 ibid 13; Amazon Prime Video Terms of Use, 4i and 6d. 

122 Additional Amazon Software Terms, 1. 


292 The Internet of Things (You Don t Own) 


ownership over the contents they generate, but they effectively lose control over 
them by granting Amazon a worldwide sublicensable, royalty-free license over 
that content.!?3 This can only partly be countered through the exercise of moral 
rights and image rights, but their protection is, in practice, weak and piecemeal. 124 
The shift from ownership to control is a feature of contemporary IP that goes 
beyond the IoT. We have seen it occur in the context of the platformisation of 
education during the COVID-19 pandemic, when most universities adopted third- 
party proprietary platforms that de facto dispossessed teachers and students of 
their data.!?5 The IoT brings the irrelevance of formal ownership to the physical 
world and renders it ubiquitous. 

The power dynamics that underpin the death of ownership result in a funda- 
mental shift in ‘the traditional conceptions of ownership’!?° that goes beyond 
Echo’s case study: it is a core characteristic of the IoT as a whole, as noted in a 
significant and comprehensive book on ownership in a ‘smart’ world: Owned by 
Joshua Fairfield.!? Previous research had already underlined how the demateri- 
alisation of traditional goods was leading to a shift in the concepts of ownership 
and property.'*® Conversely, less explored had been the opposite move, that 
is, when goods remain tangible but are embedded with software, service, and 
data. This is the gap filled by Owned, which shows that IP law has usurped a 
role traditionally delegated to property law when it comes to governing Things. 
Through IP-enabled postsale control over the Things — and ultimately over their 
‘owners’ — IoT companies are responsible for a system that Fairfield sees as 
reminiscent of the feudal times, when people would only manage property sub- 
ject to the ruler’s will. The feudal lord’s power was exemplified by the infamous 
ius primae noctis, the right to have sexual intercourse with his peasants’ brides 
on the night of the wedding. While there is no hard evidence that the ius primae 
noctis actually existed,'?? Owned refers to it as a powerful metaphor: ‘as the 
owner of the intellectual property embedded in the device, and as the drafter 
of clauses buried deep within its license agreement,’ 13? IoT companies may be 
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regarded as digital lords who blatantly invade the property and privacy of the 
users, who are demoted to digital peasants. 

Fairfield goes as far as to claim that ‘[l]ike the serfs of feudal Europe who 
lacked rights in the land they worked, without digital property rights, we aren’t 
owners — we’re owned.’'?! The solution to the death of ownership is found in the 
extension of the property rights that people have traditionally enjoyed over their 
things. Alongside the rights to modify, sell, use, and exclude — traditionally asso- 
ciated to ‘ordinary’ property — Fairfield claims that we should have the rights to 
hack, sell, run, and ban.!3? To some extent, this has been already recognised by the 
Library of Congress’s Copyright Office, which has introduced new exemptions to 
the Digital Millennium Copyright Act in order to recognise a right to hack one’s 
own Thing without the fear of being liable for copyright infringement for the 
unauthorised use of the software embedded in the Thing.'*? These include exemp- 
tions to ‘unlock’ the Thing to connect it to alternative wireless networks and to 
‘jailbreak’ it to make the Thing interoperable. It also includes more specific, IoT- 
friendly exemptions for purposes of diagnosis, repair, and lawful modification 
of motorised land vehicles.'*4 Whilst stronger IP exceptions may play a role as 
part of a strategy to re-empower IoT users, they are not as such sufficient. More 
importantly, their revitalisation can be hindered by a strengthening of the property 
right over the Thing. IP exceptions are not grounded in the right to property: they 
reflect the public interest to ensure freedom of expression and information, as 
well as the right to self-determination. Extended property rights do not achieve 
much; they inherently foster the private interest, whose all-absorbing character in 
the IoT threatens the public and collective interests. 

The parallel between IoT and feudalism, whilst a potent metaphor, does not 
fully account for the power dynamics at play in feudal times and today. In the cur- 
rent stage of capitalistic development, IoT companies leverage their IP and data 
power to impose their private interests on the end users’ rights and freedoms — not 
only on their property, but also on their fundamental freedoms that is in the public 
interest to protect e.g. expression and information. Under medieval law, the lord 
could not wield property as a weapon: the power over the land depended on — and 
could be limited in view of — the collective interest, mainly to ‘a more abundant 
and higher-quality agricultural harvest,’!*> which would ultimately bind both the 
lord and the peasants. As revolutionary Paul Lafargue put it, the feudal landlord 
‘has obligations and is far from enjoying the liberty of the capitalist — the right to 
use and abuse. The land is not marketable; it is burdened with conditions.’!*° In 
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a sense, the public interest could be seen as able to limit private power, that is, 
the opposite to what appears to be happening under IoT capitalism. !7 Property, 
the private interest, and IP become the real protagonists of the market dynam- 
ics with the passage from feudal society to bourgeois society.!38 That was the 
moment when the ownership of goods started to be branded as ‘natural,’ as 
if it emanated from the ownership over oneself.'*? Thus, property became the 
most significant contributor to a person’s individuality, and the bourgeoisie, 
by accumulating ‘sacred’!*° property, reorientated society towards profit and 
accumulation of wealth. I would posit that the individualist outlook of bour- 
geois society — as opposed to medieval property — is the real precursor of the 
current state of things. The death of ownership is not the death of property: in 
the IoT, property thrives in the forms of IP, data power, contractual and techni- 
cal control. Under their weight, citizens’ freedoms, their collective interests, and 
the public interest risk succumbing. Compared to this, the feudal communities, 
based on collective property and the feudal hierarchy where everyone ‘from the 
serf upwards to the king . . . were bound by the ties of reciprocal duties,’ !4! 
become a rather alluring prospect. 

Even though the metaphor of digital serfdom has its drawbacks, it is possible 
to trace a parallel between feudalism and IoT economy. It has been noted that the 
‘most distinctive feature of villein tenures was labour rent, i.e. the obligation to 
perform unpaid labour-service’'*” on the manorial demesne. The demesne was the 
land that the lord retained for his own use and under his own management. From 
this viewpoint, an echo of this unpaid labour is present in the increasingly wide- 
spread practices of digital labour that see IoT users becoming unwitting work- 
ers. E.g. to extract value from images, companies need to annotate them, namely, 
they need to add tags that say, “This image contains a cat, a person, etc.’ In this 
way, image datasets can be used to train image-recognition AI models. However, 
manual annotation is slow and expensive. The solution Facebook came up with 
was to use user-generated hashtags as a proxy to human annotations for training 
purposes.'*? Thus, by ‘using a dataset comprised of 3.5 billion Instagram photos, 
Facebook was able to achieve an all-time record-high score of 85.4 percent on 
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image recognition accuracy.’!*4 I would argue that this free labour that Instagram 
users provide resembles the unpaid labour provided by the peasant on the manorial 
demesne. As data is the main commodity in the IoT market and it is produced in 
large quantities by IoT users, the latter necessarily qualify as unwitting workers 
and should therefore be protected both in their individual and collective dimension. 

Private property, by definition, will always be a means to protect the capital- 
ist’s private interest. Part of the capitalist strategy has been presenting IP as a 
form of nearly absolute property, as opposed to a policy bargain between the 
public and the rightsholders.'*° Against this backdrop, extending property rights 
is a dangerous path to take. By contrast, an answer may be found in the limita- 
tions to property. These can be intra-IP (exceptions), extra-IP (competition), and 
even extralegal limitations (the commons). The next sections will critically assess 
whether intra-IP limitation can be at the centre of a strategy to re-empower IoT 
users affected by the death of ownership. 


6.4 Intra-IP Limitations: IP Exceptions or the Piecemeal 
Protection of Public Interest 


Our Things being protected by a plurality of IPRs and embedding of a variety of IP 
works, combined with the strategic use of contractual, technical, and factual con- 
trols, leads to an imbalanced relationship between the IoT company/rightsholder 
and the end user. The death of ownership is the epitome of this imbalance. The 
principle of exhaustion is a key way IP law ensures a fair balance is achieved. 
However, we have seen that the principle is itself ‘exhausted’ in light of the Tom 
Kabinet doctrine with its outdated tangible-intangible divide, arbitrarily narrow 
interpretation of ‘software,’ and expansion of the right of communication to the 
public. Therefore, it becomes even more important to assess whether IP law pro- 
vides effective tools to maintain a balance between public interest and private 
interest, as well as between the rightsholders’ interest and the end user’s ones: 
this is the realm of IP exceptions, also known as permitted acts or defences.'*° 
These exceptions allow users of IP works to carry out certain activities without the 
permission of the rightsholder. They can be invoked by the defendant in infringe- 
ment proceedings and can be regarded as a way to inject public interest into IP, 
albeit in a piecemeal way.'*” As held in Deckmyn,'*® it is in the public interest to 
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protect freedom of expression, and this includes the unauthorised use of IP works 
for parody purposes.'*? The role of exceptions as devices inject the public inter- 
est into IP has become more evident in parallel to the increased awareness of the 
importance of a commitment to sustainability in a time of climate emergency. To 
adopt a more flexible and balanced approach to exceptions, as epitomised by the 
fair use doctrine, would ‘préserver pour les pays la flexibilité de continuer a éla- 
borer des limitations et exceptions selon leurs besoins, dans leur propre contexte 
local.’ °° Sustainable — and, more generally, fair — IP needs to have strong in-built 
limitations. 

My starting point is that, regardless of the manifold ways IoT users attempt 
to neutralise the end users’ proprietary prerogatives, the latter could still use 
their Things without the former’s permission as long as the relevant activity falls 
within the scope of one of the IP exceptions. On the face of it,!>! the IP exceptions 
that more clearly lend themselves to give back (some) control to the end user in 
the context of the IoT are: 


(i) Observation, study, and test of the functioning of a computer program; !5? 
(ii) The decompilation (or reverse engineering) exception; !* 
(iii) Private copy of copyright works; 
(iv) Insubstantial extraction and reutilisation of databases protected by the sui 
generis right; 
(v) Use of a trade secret for freedom of information purposes; !54 
(vi) Use of a trademark not ‘in the course of trade’!>> and with ‘due cause’;!>° 
(vii) Acts done privately and for noncommercial purposes in respect of objects 
protected by design rights. 


An IoT user with some IT skills may want to inspect the Thing’s software to 
understand how it works, e.g. to comprehend the logic of the black box algo- 
rithm that runs in the Thing. In principle, this falls within the scope of exception 
that the Software Directive sets forth ‘to observe, study or test the functioning 
of the program.’!>’ However, to successfully invoke it, the defendant must meet 
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the following requirements: (a) they must be a lawful acquirer, that is, a ‘person 
having a right to use a copy of a computer program’;'>* (b) the purpose has to 
be the determination of the ‘ideas and principles which underlie any element of 
the program’;!®? (c) the activity must be carried out ‘while performing any of the 
acts of loading, displaying, running, transmitting or storing the program which 
(they are) entitled to do.’! The first requirement has to be interpreted broadly 
as encompassing anyone having a right to use the program based on a license or 
otherwise.'°! This is straightforward as the owner of a Thing is likely to qualify as 
a lawful user despite being a mere licensee of the embedded software, unless the 
Thing as a whole is held under a subscription contract. The second requirement 
can constitute more of a hurdle because it can be interpreted as excluding activi- 
ties that go beyond the mere understanding of the ideas to e.g. repair or improve 
the software. The third requirement is the most problematic because it might be 
construed as meaning that the IoT company can use the EULA or one of the other 
‘legals’ to restrict the types of acts that end users can put in place while studying, 
testing, etc. the program. Even though this is a grey area, IoT companies cannot 
go as far as to exclude this exception altogether, directly or indirectly. Indeed, 
under Article 8 of the Software Directive, any contractual provision contrary to 
this exception is null and void. Arguably, this should extend also to those techni- 
cal measures aimed at restricting user freedoms in the ‘Internet of Digital Locks.’ 

The right to decompile the embedded software is a complementary exception 
that IoT users affected by the death of ownership can trigger.!°* Decompilation is 
a method of reverse engineering whereby a program’s code is analysed and the 
program is translated from a low level of abstraction to a higher level. Reverse 
engineering is a more general concept that goes beyond software (hardware can 
be reverse engineered) and has to do with the extrapolation of the underlying logic 
of a system based on the observation of its visible behaviour. Like the observation 
exception, the right to decompile cannot be overridden contractually; therefore, 
it can be useful to counter the power imbalance between IoT companies and end 
users by neutralising the contractual quagmire seen in Chapter 2. Decompila- 
tion is particularly important from this book’s perspective given the vital role 
interoperability plays in preventing the Internet of Silos. Practically, this right 
gives IoT users the power to reproduce and translate the software’s code to obtain 
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the information necessary to achieve the interoperability of an independently cre- 
ated computer program. Defendants will have to prove: 


(i) To be a lawful user (typically a licensee);!° 

(ii) That the information necessary to achieve interoperability had not been pre- 
viously made readily available;' 

(iii) That reproduction and translation of the code are confined to the parts of the 
original program which are necessary in order to achieve interoperability;!® 

(iv) That the three-step test is made out, namely, that the exception does not 
unreasonably prejudices the rightsholder’s legitimate interests or conflicts 
with a normal exploitation of the computer program.'® 


The main limitation of this exception is that reverse engineering is possible only 
to obtain interoperability-related information. This is likely to require skills that 
most users will not have. It could nonetheless benefit them indirectly by allow- 
ing developers to design interoperable Things. Additionally, in the case of com- 
plex software, reverse engineering ‘does not provide a viable means for achieving 
interoperability,’!°’ and this will usually be the case with IoT software, due to its 
intrinsic complexity and its being fused with hardware.'®’ A more IoT-friendly 
copyright and patent law would entail a positive obligation for developers to dis- 
close the interoperability information.'°? 

Whilst the embedded software falls clearly within the scope of that subcat- 
egory of copyright that is regulated by the Software Directive, other components 
of our Things are covered by ‘general’ copyright law, as enshrined in the Info- 
soc Directive and the Copyright in the Digital Single Market Directive, which 
was transposed by member states in June 2021. Under Nintendo v PC Box,'” 
complex multimedia products fall within the scope of both general copyright 
and software copyright when the CJEU interprets the provisions on the right- 
sholder’s rights and remedies. The law of complex multimedia products is far 
from settled, however. Jom Kabinet'' is indicative of this issue as the court held 
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that e-books are attracted under ‘general’ copyright as opposed to ‘special’ soft- 
ware copyright. Whilst the code of the embedded program is covered by ‘literary’ 
copyright, the original interface of the Thing, should the Thing have one, may be 
protected as an artistic work.'” The original sounds emitted by the Thing, either 
downloaded or streamed, may qualify as musical works.'” Accordingly, the IoT 
company’s exclusive rights are limited by a number of exceptions to ‘general’ 
copyright. In particular, the private copy exception appears to be the most suit- 
able to re-empower the IoT user who is affected by the death of ownership. Under 
the Infosoc Directive, member states may allow the unauthorised reproduction 
of copyright material for private and noncommercial use, by natural persons, on 
condition that the rightsholders receive fair compensation, unless the prejudice 
caused to them is minimal.!'” Positively, this exception applies to the reproduc- 
tion on any medium.'” Therefore, e.g. a Thing’s user could make a copy of the 
Thing’s digital content accessed through the cloud and save it on a computer 
or other device.'”© However, the private copy exception has three shortcomings. 
First, it is optional. Unlike the aforementioned exceptions to software copyright 
and unlike the new exceptions under the Copyright in the Digital Single Market 
Directive, member states have discretion when it comes to the implementation 
of most of the exceptions under the Infosoc Directive.'”’ This explains why the 
UK does not provide the private copy exception!”® and the Republic of Ireland 
only partly implemented it.'!? Second, unlike the Software Directive, the excep- 
tion can be overridden by means of contracts and technological protection mea- 
sures.!®° Therefore, IoT companies can contract it out and technologically exclude 
it. Third, the CJEU interprets the concept of communication to the public broadly, 
thus leading to the excessive monopolisation of intangible assets and, ultimately, 
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the death of ownership.'®! The Vcast case'®* well illustrates the point. The dis- 
pute regarded an online recording service of television broadcasts in which Vcast 
captured the television signal by its own antennas and recorded the time slot of 
the selected broadcast signal in the user’s cloud storage. The private copy excep- 
tion applies to the right of reproduction and not to the right of communication to 
the public.!8 The CJEU argued that the concept of communication to the public 
must be interpreted broadly as ‘covering any transmission or retransmission of a 
work to the public by wire or wireless means, including broadcasting.’!** Since 
the ‘active involvement’ of Vcast in the realization of the private copies required 
some form of transmission — and hence, according to the court, of communica- 
tion to the public — it followed that the private copy exception would not apply. 
This links back to the aforementioned issue of the ‘exhaustion of exhaustion’: 
since Things are interactive objects that are embedded with content that is often 
transmitted and retransmitted, there is the risk that the private copy exception 
will not be available to IoT users. De lege ferenda, alongside being subject to the 
principle of exhaustion, the private copy exception should be rendered mandatory 
and binding. 

IP, however, is not only about the protection of intangible assets. After some 
recent jurisprudential developments at the EU level, three-dimensional copyright 
is of growing importance. Traditionally, the only three-dimensional works to be 
protected by copyright were artistic works, and in particular sculptures, works of 
architecture, and works of artistic craftsmanship.'*> Arguably, most Things can- 
not be regarded as any of these ‘works.’ Sculptures are protected irrespective of 
artistic quality, but the UK Supreme Court interpreted narrowly the concept of 
‘sculpture’ in Lucasfilm v Ainsworth.!5 There, the Imperial Stormtrooper’s hel- 
met (Figure 6.2) was deemed not to fall within the scope of copyright protection 
because it was a mere prop, not a sculpture. 187 

It is fair to say that most Things are closer to props than they are to sculptures. 
Works of architecture, e.g. buildings, may be embedded with Things, but they 
are not a Thing as such, following this book’s approach. Finally, works of artis- 
tic craftsmanship refer to things such as handcrafted jewellery and hand-knitted 
mittens. Regardless of the fact that most Things are industrially produced and 
cannot be regarded as a work of artistic craftsmanship, they are unlikely to meet 
the additional requirements of being of artistic quality and of craftsmanship. 188 
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Figure 6.2 Imperial Stormtrooper helmet. Copy created from the original mouldings used 
in the first Star Wars film 4 New Hope. 


Source: RS Prop Masters. 


This approach is consistent with the traditional assumption that copyright protects 
only an exhaustive list of ‘works,’ namely, literary, dramatic, musical, artistic 
works, films, sound recordings, typographical arrangements, and broadcasts. !8° 
This theory of the numerus clausus (closed number) has been arguably abandoned 
by the CJEU notably in Levola Hengelo!” and Cofemel.'?' In the former case, 
regarding the taste of cheese, it was held that for something to be a work, it must 
be original and it must be expressed in a manner which makes it identifiable with 
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sufficient precision and objectivity.!°? In Cofemel, a case about the protection of 
the design of a line of jeans, the court applied Levola Hengelo and further clarified 
that all works that are original and identifiable with precision and objectivity are 
protected by copyright: no additional and subjective requirements are allowed.!? 
This means that the tangible components of the Things may be protected even 
though they do not fall under any of the categories of ‘works’ as long as they are 
the author’s own intellectual creation and if the subject matter of protection can 
be identified with precision and objectivity. If that is the case, the aforementioned 
considerations on the private copy exception apply. 

The tangible components of a Thing may be protected as well by means of 
patents, trademarks, and design rights. For the purposes of this book, it is possible 
to ignore patents since they — and their exceptions — have not been harmonised 
at the EU level. Trademarks need only touching upon because, although one can 
register a shape as a trademark, the vast majority of these applications fail because 
consumers are unlikely to think of a shape as being indicative of a particular 
undertaking’s goods.!*4 Moreover, applications for three-dimensional marks have 
to overcome three absolute grounds for refusal that before the 2015-2017 reform 
applied only to shapes:!° it will not be possible to register a shape that depends 
on the nature of the goods, is necessary to achieve a technical result, or adds 
substantial value to the good.'*° The latter would most likely apply here. Indeed, 
as Advocate General Szpunar noted in Hauck,!” the rationale of this exclusion is 
to demarcate the protection conferred by trademarks and that conferred by indus- 
trial designs and copyright, which are usually seen as better suited for the exter- 
nal features of goods that ‘substantially enhance (their) attractiveness . . . and 
strongly influence consumer preferences.’!*8 I would argue that the shape of the 
Things influences consumer preferences and thus cannot be registered as a trade- 
mark as it adds substantial value to the Thing. There is evidence that consumer 
purchase Things based on emotional factors rather than rational ones related to 
the functionalities of the Thing as such.!” Design plays a key role in eliciting 
consumer emotions based on a product’s attractiveness.” I would conclude that 
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the fact that the design of a Thing affects the decision to purchase it suggests 
that IoT companies are unlikely to be successful in registering the shape of their 
Things as a trademark as that shape would add substantial value to the goods. 
Nonetheless, should a Thing’s shape be registered as a trademark, its private use 
would not constitute infringement because 3D mark owners can only prevent uses 
‘in the course of trade.’?°! A trademark is used in the course of trade if it per- 
forms one of functions of trademarks, mainly, if it acts as a ‘badge of origin’??? 
of the good or service. Most private uses of IoT shape marks will not qualify as 
infringement because a private use of a Thing is unlikely to signal to third par- 
ties a claim that the Thing originates from the end user. Moreover, in line with 
ECtHR jurisprudence, freedom of expression can operate as an external limit to 
trademark law.7°? Some have argued that it is not necessary to introduce external 
freedom-of-expression limits because ‘EU trade mark law itself provides for lim- 
its that guarantee respect of the freedom of expression.’*™ This applies especially 
to well-known marks, such as Amazon’s arrow. Their protection is stronger than 
ordinary marks, but their unauthorised use does not constitute infringement if it 
is supported by ‘due cause.’ There is no definition of due cause, but as held 
in Leidseplein v Red Bull,?°® it includes ante-registration uses and uses that are 
in good faith. The CJEU underlined that the concept of due cause is intended to 
strike a balance between the proprietor’s interests and either objective or subjec- 
tive interests of a third party using the identical sign. Although the court does 
not couch this as freedom of expression, it is not unfounded to see the concept 
through this lens. Whilst it is contested whether freedom of expression creates an 
autonomous defence to trademark infringement, it is clear that existing exceptions 
must be interpreted broadly. Indeed, the new Trade Marks Directive and the EU 
Trade Marks Regulation,”” for the first time, provide that their application must 
ensure ‘full respect for fundamental rights and freedoms, and in particular the 
freedom of expression. ’??8 Accordingly, in the unlikely event that the shape of a 
Thing is registered as a trademark, freedom of expression will breathe life into the 
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aforementioned defences and most acts carried out by IoT users will not qualify 
as infringement. 

Design rights?” appear to be the most suitable form of IP protection for the 
shape of a Thing and, more generally, its tangible components.*!° Design means 
the ‘appearance of the whole or a part of a product resulting from the features 
of, in particular, the lines, contours, colours, shape, texture and/or materials of 
the product itself and/or its ornamentation.’?!' In light of the composite nature 
of most Things, many of them will likely qualify as ‘complex products,’ which 
design law defines as products ‘composed of multiple components which can be 
replaced permitting disassembly and reassembly of the product.’?!? If a Thing’s 
design — or the design of its visible component parts if we are dealing with a 
complex product?! — is novel?!* and has individual character,?!> the rightsholder 
can prevent anyone, including the IoT user, from using the product.”'* However, 
although the ‘delineation of rights is not restricted to commercial uses,’*'’ design 
rights cannot be exercised in respect of acts done for private and noncommercial 
purposes.?!8 This exception — that applies also to Community Design Rights?!° — is 
mandatory, and therefore, member states must provide it in their national laws.?”° 
It is unclear whether the exception can be overridden by means of a contract, 
e.g. via the terms of service linked to the purchase of a Thing. On the one hand, 
the Design Directive is without prejudice of other forms of protection, including 
civil liability and unfair competition, whilst contract law is not mentioned.”*! On 
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the other hand, no specific provision on the contractual overridability is made. 
The exception is further narrowed by national laws imposing requirements of 
(i) no undue prejudice to the normal exploitation of the design, (ii) compatibility 
with fair trade practices, and (iii) acknowledgement of the source.””” However, the 
interpretation of design law and of its exceptions should never lead to a dispro- 
portionate interference of freedom of expression, as the ECtHR held in Plesner v 
Louis Vuitton.?*> This should empower the IoT user to utilise their Things as freely 
as possible regardless of their design protection. Moreover, design rights should 
not be used to stifle innovation and suppress competition. This was made clear 
by the CJEU in Nintendo v BigBen,” where the citation exception — hitherto 
regarded as narrowly applicable — was ‘transformed into a far more expansive 
right for third-party competitors to re-produce designs to explain or demon- 
strate product compatibility.’??> These human rights—orientated interpretations of 
the exceptions are fit for the IoT and should be welcomed as a positive approach 
to balancing IP and competing interests.*”° 

It is of little doubt that the value of the IoT is intrinsically linked to the value 
of the big data produced by our Things, also known as machine data or indus- 
trial data.” Whilst data as such and in isolation is not covered by IP, it can be 
protected under certain circumstances by an oft-forgotten right, namely, the sui 
generis right under the Database Directive (also known as ‘the database right’).?78 
This is of particular relevance in the context of machine-generated datasets that 
are at the core of the IoT. The sui generis right is not confined to physical data- 
bases where documents are systematically archived (e.g. the Wiener Holocaust 
Library) and to online databases (e.g. WestLaw). Under this directive, a database 
is any collection of ‘independent works, data or other materials arranged in a 
systematic or methodical way and individually accessible by electronic or other 
means.’”° In principle, an air company’s website that allows users to search and 
book flights can be regarded as a database.**° The collection of voice recordings 
of the users’ interactions with Google Home could be an example of IoT database. 
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Indeed, these recordings are stored systematically and made available in an indi- 
vidually retrievable way.”*! 

A database may be protected by copyright or by the sui generis right. I will 
overlook the former as only a minority of IoT databases will attract copyright. 
Indeed, for a database to be copyright protected, the selection and arrangement 
of the contents must be original, that is, the author’s own intellectual creation.?32 
Copyright is not fit for loT databases because of the prevalence of automation in 
selecting and arranging the contents; in other words, the setting up of these data- 
bases ‘is dictated by technical considerations, rules or constraints which leave no 
room for creative freedom.’?*3 IoT databases, nonetheless, could be protected by 
the sui generis right, since the latter does not require originality. The maker of a 
database has the right to prevent extraction and reutilisation of the contents of 
the database if the investment in obtaining, verifying, or presenting its contents 
was substantial.?*4 One could object that IoT companies do not need to invest 
substantially to set up their databases, since they are mostly machine-generated. 
However, in reality, the threshold of substantiality accepted by courts throughout 
Europe is low. In practice, any investment is regarded as substantial as long as it is 
‘more than minimal. ’?5 IoT companies will not struggle to identify even a limited 
amount of ‘human, technical and financial resources’?*° invested in the database, 
and therefore, this requirement is unlikely to constitute a hurdle. An investment 
will be needed e.g. for human beings to label the data, especially if the database 
relies on supervised or semisupervised learning techniques.**” 

The sui generis right is often regarded as unfit for IoT data.”** The unfitness is 
mostly based on British Horseracing Board v William Hill??? and the three Fixtures 
Marketing cases,” where the CJEU took the debatable decision that the invest- 
ment into newly created — as opposed to already existing, ‘obtained’ — data does not 
attract sui generis protection. Many have interpreted this obtaining-creating dichot- 
omy as an endorsement of the so-called spin-off theory, whereby ‘databases which 
are the by-products of the main activities of an economic undertaking (‘spin-off’ 


231 ‘Google — My Activity’ <https://myactivity.google.com/activitycontrols/webandapp>. 

232 Database Directive, art 3(1); Case C-604/10 Football Dataco v Yahoo! UK [2012] Dir com sc int 
269. 

233 Football Dataco (n 232) [39]. 

234 Database Directive, art 7. 

235 European Commission, ‘SWD “Evaluation of Directive 96/9/EC on the Legal Protection of Data- 
bases” (2018) SWD(2018)147final 27. 

236 Database Directive, recital 7. 

237 Noto La Diega, ‘Artificial Intelligence and Databases in the Age of Big Machine Data’ (n 56). 

238 Matthias Leistner, ‘Big Data and the EU Database Directive 96/9/EC: Current Law and Potential 
for Reform’ in Sebastian Lohsse, Reiner Schulze and Dirk Staudenmayer (eds), Trading Data in 
the Digital Economy: Legal Concepts and Tools (Nomos 2017) 25. 

239 Case C-203/02 British Horseracing Board v William Hill [2004] ECR 1-10415. 

240 Case C-338/02 Fixtures Marketing v Svenska Spel [2004] ECR I-10497; Case C-444/02 Fixtures 
Marketing v OPAP [2004] ECR I-1549; Case C-46/02 Fixtures Marketing v Oy Veikkaus Ab 
[2004] ECR I-10365. 


The Internet of Things (You Dont Own) 307 


databases) are in principle not protected by the sui generis right.’*4! The example 
of such spin-off databases made by the Commission was ‘the automated creation 
of machine-generated data (e.g. Internet of Things data). However, the spin-off 
theory has no sound basis in the four aforementioned cases. Indeed, the CJEU held 
that the creation of a database can be ‘linked to the exercise of a principal activ- 
ity in which the person creating the database is also the creator of the materials 
contained in the database’”*? as long as the obtaining, verification, or presentation 
‘required substantial investment . . . independent of the resources used to create 
those materials.’**4 Accordingly, although most IoT databases may be regarded as 
spin-off databases, they could nonetheless be protected by the sui generis right. 
More generally, the CJEU cases — and their postulation of an obtaining-creating 
dichotomy — can be criticised for three reasons. First, British Horseracing and 
Fixtures Marketing overemphasise the relevance of some recitals of the Database 
Directive that could be invoked to reach the opposite conclusion. In particular, 
they can lead to conclude that databases of ‘created’ data are in fact protected by 
the sui generis right. As pointed out in Recital 9, databases are a vital tool in the 
development of an information market. Given that the majority of the investments 
made by the database makers regard data collection rather than the setting up of the 
database itself,” this recital can be construed as providing an argument in favour 
of the relevance of investments in ‘created’ data for the sui generis right to subsist. 
Second, a comparative analysis of domestic case laws shows that the same data can 
be treated as ‘created’ in some jurisdictions and ‘obtained’ in others,” with live 
football data deemed to be ‘created’ in Germany and ‘obtained’ in the UK.*”’ Third, 
the Fourth Industrial Revolution shows the untenability of the creating-obtaining 
dichotomy. This is well illustrated by the use of Al-powered data mining in pre- 
dictive analytics: it leads to inferences, identification of patterns, and discovery 
of correlations between existing data; one could argue both ways, that this data is 
created or, as seems more reasonable, obtained. 

Given that, consequently, it can be argued that the sui generis right provides 
some protection to IoT data,”** it becomes important to assess whether the excep- 
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tions to this right can be successfully invoked by IoT users who find themselves 
affected by the death of ownership. There are two exceptions that may come into 
play in these scenarios. First, database makers cannot prevent lawful users from 
extracting or reutilising insubstantial parts of the database’s contents.” Impor- 
tantly, this is expressly qualified as a user right rather than an exception, and 
therefore, any narrow interpretation should be excluded. This is further corrobo- 
rated by the generous wording of the directive, whereby insubstantial extraction 
and reutilisation can be carried out ‘for any purposes whatsoever’;**° therefore, 
commercial and mixed uses are included. It is mandatory for member states to 
provide this right in the national implementation measures,”>! and companies may 
not override it contractually.*°? The limit to this is that only a lawful user can 
exercise this right, which means that if the terms of service prevent all access and 
use of the database, the term will prevail on the exception. However, if the use 
is permitted, then the terms of service (and the other ‘legals’) cannot be used to 
prevent the insubstantial extraction of the database’s contents. Conversely, the 
private use exception to the sui generis right is rather narrow. First, it is optional, 
and therefore, member states can decide not to implement it.?® Second, contracts 
can be used to override it,*°4 which is worrying in the IoT’s contractual quagmire 
and associated power imbalance. Third, the private use exception applies only 
to the extraction (and not to the reutilisation) of the contents of nonelectronic 
databases, which makes it useless in an IoT context. The main weakness in any 
strategy that would rely on the exceptions to the sui generis right is the narrow 
interpretation given to this regime in Ryanair v PR Aviation.” There, the defen- 
dant’s screen scraping, i.e. the automated extraction of data from a website,?*° 
was considered to be in violation of Ryanair website’s terms and conditions. In 
particular, the low-cost airline put in place an exclusive distribution system and 
prevented unauthorised websites to sell Ryanair flights.*°’ The use of the website 
was limited to private, noncommercial purposes. The defendant’s argument was 
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that what they did was covered by exceptions that contracts could not override. 
The CJEU held that if a database does not meet the requirements of originality or 
substantial investment, they are outwith the scope of the directive, and therefore 
the relevant exceptions cannot be invoked.”°* This decision can be criticised on 
three grounds. First, the directive’s scope is identified by reference to the defini- 
tion of database;?°° therefore, as long as the materials are independent, arranged 
systematically or methodically, and individually accessible, we are within the 
scope of the directive and the exceptions should be available. The assessments 
regarding originality and substantiality should not be conflated with the issue of 
the scope of protection. Second, making the exceptions unavailable to users of 
databases where neither substantial investment nor originality can be proved is 
unreasonable. Indeed, it would lead to recognising a stronger protection to those 
databases where the author did not put in place any intellectual effort or any 
meaningful investment. Finally, the main justification of the Database Directive 
is to stimulate investments in the database industry to bridge the gap between 
the US and the EU market.?® This goal cannot be achieved applying Ryanair 
because this ruling incentivises the database makers not to invest significantly in 
obtaining, verifying, and presenting contents. By reducing investments, they can 
circumvent the database’s user rights and exceptions. The joint operation of the 
obtaining-creating dichotomy and the Ryanair jurisprudence confirms the need to 
revitalise the sui generis rights and, in particular, its exceptions: otherwise, IoT 
companies and other database makers can accumulate vast amounts of data and 
increase their data power by contractual and technical means, thus cementing the 
death of ownership. 

IoT data is of tremendous value especially when used to train the algorithms 
that constitute the IoT’s hidden architecture. Much of their value comes from 
being secret.*°! Indeed, as seen in the previous chapter, an increasingly important 
role is played by the (ab)use of trade secrets on IoT’s algorithms and machine 
data. The Trade Secrets Directive has clarified that, for a trade secret to subsist, 
the information has to be (i) not generally known or readily accessible, (ii) of 
commercial value because it is secret, and (iii) subject to reasonable steps to keep 
it secret.?°* One may argue that the information that is embodied in a Thing, being 
easily accessible by third parties, can be accessed or reverse engineered and is 
therefore not secret.?® Accordingly, one may say, the data and the algorithms that 
are embodied in Things are not secret, as long as they can be easily accessed by 
means of reverse engineering or decrypted. However, courts have become, over 
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time, more amendable to the idea of considering Thing-embedded algorithms as 
secret. In Volkswagen v Garcia, the court e.g. granted an interim injunction to 
prevent the disclosure of an algorithm. This algorithm was embedded in a car’s 
immobiliser, and the defendants had accessed it by reverse engineering a com- 
puter program that they had found online.” Whilst theoretical objections can be 
moved to the idea of IoT algorithms and machine data as trade secrets, pragmati- 
cally one needs to take account of the fact that loT companies do keep this infor- 
mation secret, and this is part of its value. For example, the algorithm that allows 
Alexa to be a powerful tool of the ‘Internet of Personalised Things’ constitutes 
commercially valuable confidential information.*°° 

Trade secret protection is dangerous because IoT companies could keep the 
information secret potentially forever. Although users may counter it by invok- 
ing exceptions and GDPR rights (e.g. right to be informed),°’ the likelihood that 
this happens in practice is limited due to the secrecy of these practices. Under 
Article 5 of the Trade Secrets Directive, user freedom can be ensured by a num- 
ber of exceptions that allow the unauthorised acquisition, use, or disclosure of a 
trade secret. These exceptions are in place to ensure the interest of circulation of 
knowledge.?®8 This is particularly the case with the exception ‘for exercising the 
right to freedom of expression and information as set out in the Charter (of Fun- 
damental Rights of the EU).’*® Whilst the emphasis of the directive is on press 
freedom and media pluralism, these are not the only applications of freedom of 
expression and information that are protected as a human right in Europe. This 
is evidenced by the ECtHR jurisprudence that balances IP against higher val- 
ues and, in particular, freedom of expression and information under Article 10 
ECHR.?” Although this case law regards copyright,”’! the same rationale applies 
to all IPRs, including trade secrets.??? It is not by chance that N.V. Televizier v The 
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Netherlands?” — the first-ever ECHR case about the balance of IP and human 
rights — regarded Article 10.7” The first ‘balancing’ rulings in the seventies and 
in the nineties did not find violations of Article 10.7” The ‘real breakthrough’?”° 
was in 2013, when the court started dealing with online copyright infringe- 
ment and its impact on free flow of information in the digital environment. 
This change in direction started with the rulings in Donald v France?” and 
The Pirate Bay.” The facts were quite different, the former dealing with the 
unauthorised publication of some photographs taken at a fashion show, the lat- 
ter with a notorious file-sharing platform that enabled the illegal download of 
music, films, and computer games. Importantly, the court held that the appli- 
cants’ convictions for copyright infringement constituted an interference with 
Article 10. The interference was not considered disproportionate as the expres- 
sion the applicants were seeking to protect had commercial character.?” This 
means that the abuse of IP, including trade secrets, to prevent an IoT user from 
utilising their Things for noncommercial purposes may be regarded as dispro- 
portionately interfering with freedom of expression.?*° 

In considering the scope of the Trade Secrets Directive’s freedom of expression 
exception, one needs to account for the ECtHR’s practice to view IP ‘as an excep- 
tion to freedom of expression (which) must hence be narrowly interpreted. ’?8! 
Even more progressive in its recognition of the limits of IP is the CJEU jurispru- 
dence, which has been balancing IP and freedom of expression — in particular, 
freedom of information — in a way that allows the interpreter to requalify IP excep- 
tions as proper user rights as opposed to mere ‘exceptional’ defences available 
only passively, should the rightsholder claim infringement.”®” The CJEU has been 
gradually recognising the importance of a fair balance between the rightsholders’ 
interests and the competing rights and interests in the context of IP disputes that 
are examined ‘mainly from the angle of fundamental rights.’?* It follows that 
courts need to interpret trade secrets exceptions in a way that pursues a fair bal- 
ance between the IPRs and the ‘rights of the users of protected subject matter.’?*4 
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As stated inter alia in Deckmyn® and elaborated in the literature,7*° IP and user 
rights should be regarded as having equal standing. 

At first glance, more recent cases Funke Medien,” Pelham,” and Spiegel 
Online?®® would seem to go in the opposite direction. Indeed, they deny that 
member states can create exceptions beyond those listed in the relevant direc- 
tives. This notwithstanding, these cases have been seen as the confirmation of 
the ‘liberal, “freedom-of-expression-driven” approach of the CJEU’”?®” to IP bal- 
ancing. Accordingly, the awareness that ‘freedom of expression and information 
give a substantive content to the rights of users’?! must inform the understand- 
ing of the exceptions under all IP laws, including the Trade Secrets Directive. 
Therefore, I would opine that under the freedom of information exception, trade 
secrets cannot be used to prevent IoT users from handling their Things unen- 
cumbered, especially so as to allow them to understand how their Things work 
and to comprehend their underlying logic, including by accessing the Things’ 
intangible components. 

The prospect of relying on a combination of exceptions-user rights to regain 
control over one’s Things is appealing. However, its potential to tackle the death 
of ownership in the IoT is thwarted by five factors. First, exceptions may counter 
only abuses that are perpetrated by means of IP rights. loT companies can find 
ways to strategically bring their conduct outwith the scope of IP laws. If IP laws 
do not apply, IP exceptions will be unavailable, as was the case in Ryanair v 
Aviation PR.” In practice, most of IoT data is likely to fall outside the scope of 
the Database Directive, and IoT users are therefore unlikely to be able to invoke 
the relevant exceptions. Second, although IP law discourages rightsholders from 
using technological protection measures to compress the exceptions," however, 
this may prove to be immaterial in practice. Indeed, the IoT is a high-speed and 
low-focus environment, and therefore technical defaults can influence user behav- 
iour more than traditional legal rules. Third, contractual abuses may be tackled 
only by those exceptions that expressly override contracts. De lege ferenda, it is 
crucial to streamline all IP exceptions to render them binding. Fourth, IP excep- 
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tions can do little to empower IoT users affected by factual control over the Thing, 
in particular over services and data. Abuses of data power are under increased 
scrutiny of antitrust authorities, but competition law remains unfit for these new 
forms of power.” The recent inquiry of the European Commission into the anti- 
trust issues of the IoT confirmed this inadequacy.*® It remains to be seen whether 
unconventional interventions such as the Data Governance Act, the Digital Ser- 
vices Act, and the Digital Markets Act will be able to curb IoT power. Finally, the 
viability of exception-focused strategies is limited by the issue of IP overlaps. The 
latter predates the IoT but is exacerbated by this sociotechnological phenomenon. 
To test the viability of the proposed exception-focused strategy, the next section 
will give a closer look at IP overlaps. 


6.5 IP Overlaps and the Erosion of IP Exceptions 
in the ‘Smart’ World 


The IoT provides an excellent illustration of the problem of the cumulation of 
rights. As IPRs overlap, any strategy aimed at countering the death of ownership 
by leveraging the potential of IP exceptions is called into question. Indeed, what 
constitutes an exception under one IP subsystem (e.g. copyright) may constitute 
infringement under another (e.g. design rights). The IoT ushers in an era of ubiq- 
uitous computing and ubiquitous IPRs. The more these rights expand, the more 
user rights contract. 

Despite some similarities, the exceptions analysed in the previous section are 
rather diverse. Some are mandatory; others are left to the discretion of member 
states as to whether to implement them. Some are binding; others can be overrid- 
den contractually. Some cover commercial uses; others do not. Some are regarded 
as user rights; others are not.” The joint operation of overlapping IPRs cover- 
ing virtually any aspect of a Thing and the misalignment between IP exceptions 
hampers any strategy to counter the death of ownership in the IoT by invoking IP 
exceptions. 

The question of IP overlaps may be perceived as niche, but it is of great 
theoretical and practical importance.” Countless laws have been passed — and 
numerous rulings have been handed in — in the 310 years of the history of copy- 
right legislation, from the Statute of Anne to the Copyright in the Digital Single 
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Market Directive. These laws and rulings have enlarged the types of subject 
matters eligible for protection (e.g. databases),””8 widened and strengthened 
the owners’ exclusive rights (e.g. the all-encompassing right of communication 
to the public),”°® and provided discrete IPRs for their protection (e.g. the new 
publishers’ right that adds to already-existing author rights on the same subject 
matter).°° The fact that the ‘expansion of (IP) rights at the international level 
is more extensive than ever’?! is at the root of this phenomenon and of the sub- 
sequent issue of overlaps. If a country wishes to be a member of the WTO, they 
have to accept to be bound by Agreement on Trade-Related Aspects of Intel- 
lectual Property Rights (TRIPS). This agreement obliges contracting states 
to protect all the rights covered by the treaty, that is, copyright and related 
rights,*°? trademarks,” geographical indications,’ industrial designs,*° 
patents,>*°° topographies of integrated circuits,’ and protection of undisclosed 
information.*°° The lack of adequate protection of these rights would expose 
the country to a breach of the TRIPS obligations falling under the jurisdiction 
of the WTO Dispute Settlement Body. Conversely, it is left to the states’ discre- 
tion whether to introduce IP exceptions. If they do introduce them, they need 
to comply with the three-step test. As touched upon in the previous section, 
exceptions need to be limited to certain special cases, not to conflict with the 
normal exploitation of the work and not unreasonably prejudice the legitimate 
interest of the owner.°” Whilst a fair and balanced interpretation of the three- 
step test could be put forward,*!° the WTO favours a strict interpretation that 
regards the limbs as cumulative.?!' The situation is worsened by the so-called 
TRIPS-plus provisions: free trade agreements that introduce stronger IP pro- 
tection in exchange for trade opportunities.*!? TRIPS-plus provisions further 
tilt the IP balance in favour of rightsholders, especially those based in devel- 
oped countries. This is exemplified by the data exclusivity provisions that, by 
allowing pharmaceutical test data submitted by companies to drug regulatory 
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authorities to remain secret, factually and substantially extend the duration and 
the scope of the monopoly granted by the relevant patent.?!? This is one of the 
reasons that a COVID patent waiver may not suffice and more courageous, 
open innovation models should be adopted.*'* Stronger and pervasive IPRs led 
to their overlaps becoming commonplace. This also depends on technologi- 
cal development producing a ‘diversity of goods and services and ever-more 
powerful platforms to deliver them.’3!> Existing IP laws are often claimed not 
to be fit for these innovations, which typically leads to additional protection 
being provided in legislation or case law, with judicial expansions being often 
crystallised in legislation.*'© 

The negative effects of this accumulation can be seen most clearly in the IoT, 
where virtually every aspect and component of even simple Things are protected 
by some form of IP. This risks neutralising the potential of IP exceptions because 
many of the acts covered by an IPR’s exceptions constitute infringement of 
another IPR.*!’ Most countries, including all EU countries, allow or even impose 
partial overlap and cumulation of IPRs.*'® There are three scenarios where IPRs 
overlap.*!° First, two (or more) rights may cover the entirety of the subject mat- 
ter. Artistic works e.g. can be the domain of copyright, design, and trademarks. 
Second, the subject matters of the IPRs may overlap in part. This is the case with 
plant-related inventions that are protected by patents and plant breeders’ rights.>”° 
Third, an article may be protected by a range of IPRs, but each of them protects 
different aspects of the article; e.g. a product’s aesthetic aspects are covered by 
design rights, its functional aspects by patents.*?! In the IoT, all three scenarios 
occur. There are instances where the two sets of IP laws will dictate clear rules 
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on mutual exclusion. This is not a common occurrence. Usually, interplay and 
demarcation rules are unclear and more than one IP law will apply.*” The result- 
ing overlaps can be criticised due to their leading to uncertainty and overprotec- 
tion.?” Indeed, when overlaps occur — and in the IoT they are the rule rather than 
the exception — the ‘strictest regime overrides the more generous one.’**4 In a 
context where the exceptions to the IPRs vary so greatly from one IP subsystem 
to another, this renders any strategy that centres on these exceptions unlikely to be 
successful, especially in an IoT world. 

An in-depth analysis of IP overlaps is beyond the scope of this chapter. Three 
examples will suffice: (i) the cumulation of copyright and patents in protecting 
software, (ii) the troubled relationship between general copyright and special 
copyright in complex multimedia products, and (iii) the copyright-design inter- 
face.**> They are, at once, the most relevant from an IoT perspective and the most 
topical in current IP jurisprudence. A particularly fitting scenario regards the 
copyright-patent interface in the protection of software.**° At an international, 
European, and national level, attempts to draw a clear line between the domain 
of software copyright and software patents have not led to clarity.*?” In Europe, 
software is excluded from patentability only ‘as such.’?8 This criterion of pre- 
vention of overlaps becomes irrelevant in an IoT world, where the boundaries 
between software and hardware are blurred.**? In Europe, whilst there is a har- 
monized right to reverse engineer that users can invoke without the copyright 
holder’s permission,**° IoT companies may block it by qualifying it as patent 
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infringement**! since the relevant defences have not been harmonised.**? E.g. in 
the UK there is no reverse engineering defence in patent infringement proceed- 
ings.?™ Equally, copyright holders’ power to control derivative software is at odds 
with the right to patents derivative nonobvious inventions.**4 More generally, 
there are fewer and divergent exceptions in patent law, and this allows patent law 
to override copyright exceptions.** It has been noted that, consequently, soft- 
ware patent holders are in a stronger position compared to companies that hold 
copyright. However, it has been overlooked that IoT companies may at the 
same time be patent holders and copyright holders; accordingly, they can leverage 
their multiple IPRs to neutralise IP exceptions. Law and economics studies have 
shown that the copyright-patent overlap is overprotective, anticompetitive, and 
undesirable,*?’ with some commentators convincingly arguing for a resolution of 
the conflict by abolishing software copyright or significantly limiting its scope.**8 
More moderate proposals??? include a call for reconsidering the balance between 
freedom of use and protection of the right owner via a patent fair use defence that 
could be invoked irrespective of commercial motivations. A reform that would be 
necessary from an IoT perspective would be to make sure that patents and copy- 
right provide for the same exceptions and that these are qualified as user rights. 
The second scenario has to do with the relationship between software copyright 
and general copyright in multimedia products. The composite nature of Things 
has been mainly explored with regard to its amalgam of software, hardware, 
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service, and data. However, it goes beyond it. The analysis of Tom Kabinet has 
already shown that as e-books are composite products — computer programs and 
digitised literary works — the stronger protection afforded by general copyright 
law prevails, in that case rendering de facto irrelevant the principle of exhaustion 
on the basis of a non-IoT-friendly tangible-intangible dichotomy and an unjustifi- 
ably narrow interpretation of the concept of software. 

Tom Kabinet is no isolated incident. In Nintendo v PC Box,**° for the claimant’s 
video games and consoles to work, they would have to exchange encrypted infor- 
mation, thus ‘recognising’ each other and confirming that the game was not coun- 
terfeit. Although the nature of this pairing mechanism was contested, Nintendo 
regarded it as a form of technological protection measures. Their circumvention 
is forbidden under the Infosoc Directive.*4! The defendant manufactured devices 
that enabled video games other than Nintendo and Nintendo-licensed games to 
be played on the claimant’s consoles. The latter accused the former of thusly cir- 
cumventing their technological protection measures. The defendant put forward 
two contentions. First, Nintendo’s ‘locks’ could not be regarded as a technological 
measure because they were present both in the hardware of the console and in the 
video games. This argument was rejected by the CJEU that accepted the advocate 
general’s broad interpretation of technological protection measure as including 
the application of an access control or protection process, such as encryption, 
scrambling, or other transformation of the work or other subject matter or a copy 
control mechanism.’ Importantly, this interpretation was supported by the obser- 
vation that ‘the principal objective of (the Infosoc Directive) is to establish a 
high level of protection in favour, in particular, of authors, which is crucial to 
intellectual creation.’*? Such an approach is at odds with a key tenet of copyright 
law, whereby copyright is a policy bargain, a delicate balance between the right- 
sholder’s interests and competing private and public interests.*44 The second con- 
tention that PC Box put forward was that Nintendo’s true purpose was to prevent 
the use of independent software and to compartmentalise markets by rendering 
games purchased in one geographical zone incompatible with consoles purchased 
in another.* The referring court itself had found that the effect of Nintendo’s 
protective measures was not limited to allowing only Nintendo and Nintendo- 
licensed games to be played on Nintendo consoles; it ‘prevented such games from 
being played on any other console, thus restricting interoperability and consumer 
choice.’*4° Accordingly, PC Box’s devices would favour independent software 
and the internal market in a way that was lawful under the Software Directive and 
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aligned to the principle of free movement of goods. In particular, the defendant 
was relying on the decompilation exception;*” the decompilation was ‘confined 
to the parts of the programme strictly necessary in order to ensure interoperability 
between Nintendo consoles and “homebrew” games which did not infringe any 
copyright or related right.’>48 The advocate general rejected this argument, and 
the CJEU followed suit. The starting point was that video games are complex 
multimedia products. Indeed, they constitute ‘complex matter comprising not 
only a computer program but also graphic and sound elements.’** Since a video 
game is not (only) a computer program but is also a complex multimedia work, 
the Software Directive — and, with it, the decompilation exception — was seen as 
inapplicable. The advocate general argued that the Software Directive would take 
precedence over the Infosoc Directive ‘only where the protected material falls 
entirely within the scope of the former.’>°° Such prevalence was justified by saying 
that, by reason of its exceptions, the protection afforded by the Software Directive 
is ‘slightly less generous’*>! than that which the Infosoc Directive affords. From 
this, the controversial inference was that where ‘complex intellectual works com- 
prising both computer programs and other material are concerned — and where the 
two cannot be separated — . . . the greater, and not the lesser, protection should 
be accorded.’*** Therefore, users of most Things could not rely on the Software 
Directive’s exceptions because Things are composite and cannot fall exclusively 
within the scope of this directive. 

The prevalence of stronger proprietary regimes over weaker, user-focused 
regimes in the event of overlaps is open to criticism. The propertarianism that 
underpins this approach is incompatible with the public interest dimension of IP. 
The CJEU recognises that technological protection measures must be propor- 
tionate and that their circumvention cannot be invoked to ‘prohibit devices or 
activities which have a commercially significant purpose or use other than to cir- 
cumvent the technical protection.’ However, the court bases this conclusion on 
the need to protect competitors’ private interests rather than on the public inter- 
est. Although Nintendo v PC Box illustrates the prevalence of stronger general 
copyright on weaker special regimes, whose exceptions are neutralised, it also 
indicates that external considerations — the imperatives of free market — can play 
a role in limiting IP excesses, at least in principle. The next section will delve into 
the drawbacks of the reliance on external limitations. 

Similar overprotection issues can be seen when reflecting on the copyright- 
design interface. As seen in the preceding passages, Things may be protected by 
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both rights. This is all the more true after recent EU cases Cofemel?** and Bromp- 
ton.?5 In the former,» the court observed that the Berne Convention left it to the 
contracting parties to decide whether to exclude cumulative protection of designs 
under both copyright and registered designs (or industrial designs).*>” However, 
the CJEU opined that ‘the EU legislature opted for a system in which the protec- 
tion reserved for designs and the protection ensured by copyright are not mutually 
exclusive.’*°8 This conclusion is inferred from both the Design Directive and the 
Community Design Regulation, whereby a registered design can also be protected 
in other ways, including copyright.*°’ The court does not adequately account 
for the fact that design law leaves it to member states to decide the conditions 
under which this cumulation should operate, ‘including the level of originality 
required.’*°° As to the Infosoc Directive, the argument appears even less con- 
vincing because it is based on Article 9, whereby this directive ‘shall be without 
prejudice to provisions concerning . . . design rights.’*°' Being without prejudice 
does not necessarily mean that EU law provides, let alone mandates, a cumulation 
of IPRs. 

Even more recently, in the Brompton Bicycle case,*™ the CJEU held that copy- 
right protects original functional shapes. This case is in line with the rise of the 
role of copyright in protecting the three-dimensional aspect of Things, as seen 
in prior paragraphs.*°? Commentators have warned that ‘cumulation may have 
adverse effects if it is absolute and unrestricted in such a way as to become the 
norm.”° With the IoT, cumulation is indeed becoming the norm. This is problem- 
atic because, on the one hand, IoT companies will be able to rely on copyright’s 
longer protection; on the other hand, copyright exceptions may be overridden by 
relying on design rights. Indeed, as there are far fewer exceptions in the design 
right regimes, this mismatch can adversely affect the public interest that perme- 
ates copyright exceptions. This was the case, e.g. in a decision of the Tribunal de 
Grande Instance of Paris,** where the parody exception to copyright was deemed 
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unavailable because of the cumulation with design rights. Thus, design law ends 
up overriding ‘the public-regarding aspects of copyright law.’3°¢ 

The problems created by IP overlaps to exception-focused strategies are exac- 
erbated in the IoT, where the overlaps become ubiquitous. De lege ferenda, this 
brings further evidence to support a change in IP laws to better govern the rela- 
tionships between IP subsystems and ensure convergence between the regimes of 
exceptions.*°” Such convergence would be consistent with international law and, 
in particular, TRIPS and WTO case law.*°* An open-ended exception along the 
lines of fair use — as opposed to enumerated and rigid exceptions — may provide 
an effective way to prevent clashes and avoid overprotection of IP.°° A study of 
the drafting history of the three-step test — whose narrow interpretation has led 
to the current EU approach to copyright exceptions — shows that the test can and 
ought to be regarded as a ‘flexible formula (with) its roots in the Anglo-American 
copyright tradition.’>”° Properly understood, based on the travaux préparatoires 
of the WIPO Copyright Treaty,*7! the three-step test would allow states to devise 
new exceptions that are fit for the IoT and for the digital environment more gen- 
erally.*” A new international treaty establishing a core of minimum mandatory IP 
exceptions would provide further guarantees, compared to an approach that relies 
on judicial interpretation of existing provisions. In this sense, I would welcome 
as a positive effort the International Instrument on Permitted Uses in Copyright 
Law,*” a project launched by the Max Planck Institute for Innovation and Com- 
petition in February 2021. If adopted, this treaty would counterbalance the tradi- 
tional ‘minimum protection’ approach of international copyright law, and it would 
constitute a model that should be followed in other IP fields, else the problem 
of overlaps would not be resolved. A second-best and perhaps more pragmatic 
solution may be to retain the current approach and its reliance on exhaustive lists 
of exceptions, but either to provide the same exceptions across the board or to 
provide that the overlap will not prevent the application of all the exceptions that 
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may come into play.*” A third option would be the clarification that, despite the 
divergence, each IP subsystem safeguards the other subsystems’ exceptions. This 
was the approach of the proposed Directive on Computer-Implemented Inven- 
tions.’ This proposal is now defunct, but the IoT shows that a harmonised and 
balanced approach to the propertisation of software calls urgently for an EU inter- 
vention to prevent clashes and protect the public interest. Such an intervention 
should ensure the convergence between the regimes of exceptions so as to cover 
similar acts as well as being mandatory, binding, and include both commercial 
and noncommercial uses as long as they are fair. Since these processes of legisla- 
tive harmonisation are slow, my hope is that human rights—infused interpretations 
of IP exceptions as proper user rights will prevail, thus achieving a more balanced 
and open approach to innovation governance. 

This analysis shows the drawbacks of any attempts to find a solution to IP 
abuses within IP itself. Looking through the looking glass, external limitations 
could play a role in resolving the overlaps or at least reducing the clashes. We 
have seen above the slow and steady rise of freedom of expression to rebalance 
IP.*”° Other external limitations may come from the principle of free competition, 
including free movement of goods and services.3”” Whilst exceptions — as in-built 
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limitations to the powers of the IP holder — are of little help, a more successful 
strategy may rely on the EU fundamental freedoms of movement. A good illus- 
tration of this point can be found in Parfums Christian Dior SA v Evora BV,3" 
where the CJEU held that if the commercialisation of a product was lawful due 
to the exhaustion of the relevant trademarks, copyright could not be invoked to 
undermine the objectives of the single market. 

I will therefore venture to test the potential of external limitations — and in par- 
ticular of competition law — to curb IP excesses and counter the death of owner- 
ship in the IoT. Such potential, or lack thereof, is well illustrated by the antitrust 
control over the licensing of SEPs. This will be the focus of the next section. 


6.6 Extra-IP Limitations: Are Standard Essential Patents 
on Fair, Reasonable, and Nondiscriminatory Terms 
IoT-FRANDly? 


For IoT (inter)connectivity to work, standardisation is necessary. Standardisation 
bodies such as the European Telecommunications Standards Institute (“ETSI”) 
require their members to commit to license their patents on fair, reasonable, and 
nondiscriminatory (FRAND) terms if they are essential to one of ETSI’s stan- 
dards. This mechanism is of utmost importance because it reduces the risk of 
litigation, thus incentivising the sharing of technologies and the growth of open, 
standardised, and interoperable innovation. For this system to work, it needs to be 
assisted by antitrust interventions to prevent SEP holders that are in a dominant 
position from abusing it by suing their technologies’ implementers, despite their 
FRAND commitment. From this book’s perspective, the reference to technology 
implementers is to be construed as referring to companies wanting to enter the 
IoT market. To untangle this complex issue, this section will focus on Huawei v 
ZTE?” and its aftermath, including the 2020 decision of the UK Supreme Court in 
Unwired Planet International v Huawei.°*° 

A SEP is a patent that protects technology that is essential to a standard.**! The 
anticompetitive relevance of licensing practices in the field of SEPs is the cur- 
rently most-debated area of friction between IP and competition law as well as 
the most relevant competition law issue in IoT regulation.** Although, in general, 
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it is still ‘controversial whether the (IP)-antitrust interface should be viewed as 
a conflict or a finalistic convergence,’**’ it would seem that from the viewpoint 
of SEP abuses, IP and competition law diverge. Engaging with SEPs is pivotal 
to understanding the economic relevance of patents more generally, as SEPs are 
the most valuable type of patents. Indeed, they are more frequently traded, more 
frequently litigated, more frequently renewed, and more frequently cited as prior 
art compared to non-SEP patents.**4 

If SEPs are not adequately governed, IoT standardisation cannot be achieved. It 
is not an exaggeration to say that ‘[w]ithout access to SEPs the whole IoT would 
not work.’3®>° European organisations play an active role in the development of 
standards. As seen in Chapter 1, standardisation is a form of self-regulation of the 
IoT. European standard setting ‘may serve to ameliorate the problems of over- 
lapping IPRs in those industries in which IP is most problematic for innovation, 
particularly semiconductors, software, and telecommunications,’**° that is, the 
sectors that are key to the IoT. Under the EU Standardisation Regulation, a stan- 
dard consists of technical specifications, ‘adopted by a recognised standardisa- 
tion body, for repeated or continuous application, with which compliance is not 
compulsory.’*8” A technical specification, in turn, is a document that prescribes 
technical requirements to be fulfilled by a product, process, service, or system.?88 
The most important of these requirements, especially from an IoT perspective, 
is the laying down of the characteristics required of a product and of a service, 
including levels of quality, performance, and interoperability.’ There are several 
standard-developing organisations, from the international level through the Euro- 
pean level to the national one. The European standardisation organisations are 
the European Committee for Standardisation (CEN), the European Committee 
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for Electrotechnical Standardisation (Cenelec), and the ETSI.*?! The focus of this 
section will be on the latter because Huawei v ZTE?” — the leading EU authority 
on SEPs — regards a standard adopted by ETSI. 

In their ensuring interoperability, connectivity, and safety of technologies, stan- 
dards are pivotal to the IoT.* These standards frequently refer to technologies 
that are protected by patents. A patent is essential to a standard ‘if it is not pos- 
sible on technical grounds to make equipment which complies with the standard 
without infringing the intellectual-property right.’*°* Examples of SEPs that are 
instrumental to the IoT include patents on Wi-Fi and Bluetooth. More than 23,500 
patents have been declared essential to GSM and 3G.3* Thanks to the 5G standard, 
currently being developed, users will enjoy interoperable, high-performance, and 
affordable Things.” The share of declared SEPs from Chinese and Korean com- 
panies has been growing over time, reflecting their role in the telecommunications 
sector and the global economy more generally.*?’ With currently 334,680 SEPs,°%° 
standardised patented technologies make interconnectivity, and therefore the IoT, 
a reality. 

IoT companies face a dilemma. In order to maximise the potential for value 
extraction, they may be inclined to exclude everyone from their closed proprietary 
systems. This strategy risks transforming the IoT into a noninteroperable ‘Internet 
of Silos’; without seamless data flows and interoperability, the IoT will fail — and 
proprietary IoT companies will fail with it. However, the prospect of licensing 
patents that are essential to standards on an industry-wide scale provides an incen- 
tive for patent holders not to leverage their monopolies to prevent the standards 
from being available to all for public use.*” To this end, ETSI and other standard 
setting organisations develop IP policies, demanding that their members declare 
whether their patented invention is essential to a standard and commit to licensing 
it on FRAND terms.’ Other standard-developing organisations do not require 
their members to commit to a license at all; others require default license com- 
mitments under royalty-free terms or non-assertion agreements. A limited number 
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of organisations rely on patent pools.*°' The focus of this section is on the ETSI 
model. Once a standard is established and the holders of the relevant SEPs commit 
to license them on FRAND terms, the technology included in the standard should 
be available to any potential user of the standard. What is FRAND - especially 
which royalties are fair and reasonable — is open to debate. The vagueness of 
these concepts made commentators observe that ‘[w]ithout some idea of what 
those terms are, reasonable and non-discriminatory licensing loses much of its 
meaning.’*°* Whilst SEP holders allege that technology users free ride on their 
innovation, there is evidence that the former charge excessive licensing fees based 
on weak patent portfolios and use litigation threats as a negotiation tool.4" This 
conflict is worsened in the IoT in light of the relational black box as presented in 
Chapter 1. As noted in a European Commission report, the evolution of the IoT, 
with its need for wider connectivity, has led to a variety of SEP owners and imple- 
menters with different business models and to greater diversity of licensing prac- 
tices. The IoT’s diversity is exemplified by the large numbers of alliances and 
consortia that try to shape IoT standardisation, e.g. the Industrial Internet Consor- 
tium, Open Interconnect, Thread, and Allseen.*° This diversity is making it ‘more 
difficult to identify a consensual interpretation of FRAND licensing principles, 406 
which is in turn leading to a proliferation of disputes that can be framed as patent 
holdup. Patent holdup refers to the practice of waiting for a company to include a 
standardised technology in their products and either seeking remedies or impos- 
ing a settlement because, once the technology has been implemented, ‘it is too late 
for the company to change course.’*°” The most common form of patent holdup is 
when patent holders that had made FRAND commitments seek injunctive relief 
to exclude willing licensees.*°° Another IoT-related issue is that it is not clear 
whether SEP holders can decide to demand that the licensee be the end-product 
manufacturer as opposed to the supplier of the relevant component. In November 
2020, the Diisseldorf Regional Court asked this question to the CJEU in Nokia 
v Daimler,’ as Nokia refused to license its SEP to the suppliers of connectivity 
components for connected cars and required to license it only to car manufacturer 
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Daimler. As Things are inherently composite, and in light of the relational black 
box, it is to be hoped that the CJEU decides in favour of Daimler. Indeed, to allow 
SEP holders to require a license at every level of the supply chain would be in 
violation of both the principle of exhaustion and Article 102 TFEU. 

In the US, the prevalent approach is that SEP enforcement — including patent 
holdup and injunctions against technology users — should not be regarded as an 
antitrust violation.*!° There seems to be some divergence between the Department 
of Justice, against antitrust interventions in these scenarios, and the Federal Trade 
Commission (FTC), more open to them.*!! However, FTC v Qualcomm,*"? a case 
that the FTC was using to affirm the antitrust relevance of SEP abuses, has been 
adjudicated in favour of the modem chips monopolist.4!? Although in theory in the 
EU the antitrust relevance of SEP abuses is not contested, in practice the reasons 
of property tend to prevail. This means that the distance between the US and the 
EU is more apparent than real. This also means that the death of ownership does 
not equate to the death of property. The right to property is as strong as it has 
always been, as illustrated by Huawei v ZTE.*"* 

Huawei v ZTE deserves a closer look for a twofold reason. First, it is the lead- 
ing EU authority in the field of antitrust control over SEP licensing.*!> Second, it 
exemplifies the CJEU’s habit to, on the one hand, declare that IP must be balanced 
with other fundamental rights under the Charter of Fundamental Rights of the EU 
and the ECHR and, on the other hand, to refer to fundamental rights as a mere 
rhetoric device to strengthen ‘already strong IP protection. ’4!6 This ruling directly 
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impacts the extent to which external limitations can be invoked to re-empower the 
IoT user affected by the death of ownership. 

Amongst other SEPs, Huawei owns the patent ‘Method and apparatus of estab- 
lishing a synchronisation signal in a communication system’*!” and notified it to 
ETSI as essential to ‘Long Term Evolution,’ a wireless broadband communication 
standard.*!* This notification included, as per ETSI’s IPR Policy, the commitment 
to license the patent on FRAND terms.*!? ZTE, the defendant, marketed prod- 
ucts equipped with software linked to the aforementioned standard. Therefore, 
they engaged in negotiations with Huawei by indicating the royalty which they 
considered fair and reasonable to reach a cross-licensing agreement. Although 
the agreement was not finalised, ZTE kept marketing the products at issue. It 
followed that Huawei brought an action for infringement seeking a prohibitory 
injunction, account of profits, delivery-up, and damages.**! The Landgericht Diis- 
seldorf (Court of First Instance) decided to stay the proceedings and ask the CJEU 
whether Huawei’s conduct qualified as an abuse of dominant position under Arti- 
cle 102 TFEU. Such an abuse occurs when a dominant undertaking resorts to 
methods different from those governing normal competition, thus (i) hindering 
the maintenance of the degree of competition still existing in the market where 
competition is weakened because of the presence of the dominant undertaking, or 
(ii) hindering the growth of that competition. A dominant position is: 


[A] position of economic strength enjoyed by an undertaking which enables 
it to prevent effective competition being maintained on the relevant market by 
affording it the power to behave to an appreciable extent independently of its 
competitors, customers and ultimately of its consumers.“ 


On the abusive qualification of Huawei’s conduct, two views could be taken. On the 
one hand, in line with the European Commission’s position in Samsung/UMTS,*4 
to seek an injunction when the defendant shows willingness to negotiate a license 
would constitute an abuse of dominant position, regardless of whether the par- 
ties could not agree on the content of certain clauses in the licensing agreement, 
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including the royalty.*#> On the other hand, the Bundesgerichtshof (Germany’s 
Federal Court of Justice)? held that this conduct would be abusive only under 
certain circumstances. First, the defendant must have made an unconditional offer 
to conclude a licensing agreement not limited exclusively to cases of infringe- 
ment. Second, the defendant must account for past acts of use and to pay the sums 
resulting therefrom.*”’ The first view relied on a pro-competitive approach to IP, 
the second view, a pro-proprietary one. The CJEU decided to espouse the latter 
approach on the following grounds. 

As Volvo, Magill? and IMS Health**® exemplify, it is settled case law that 
the exercise of an IP can qualify as an abuse of dominant position in ‘exceptional 
circumstances.’*3! The essential facility doctrine“? set forth in these cases means 
that a refusal to grant an IP licence may constitute an abuse when: 


(i) The undertaking requesting a licence intends to offer new products for which 
there is potential consumer demand; 
(ii) No objective considerations justify a refusal to license; 
(iii) Through the refusal, the IP holder reserves the market to itself, thus eliminat- 
ing all competition.*°° 


The difference between this jurisprudence and the current dispute does not escape 
the court. First, SEPs are, by definition, ‘essential,’ as opposed to normal pat- 
ents, in which case excluded third parties can ‘manufacture competing products 
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without recourse to the patent concerned and without compromising the essential 
functions of the product in question.’**4 It follows that SEP holders can prevent 
competitors’ Things from appearing or remaining on the market and reserve to 
themselves their manufacture. Second, FRAND commitments create a legitimate 
expectation that the SEP holder will grant a FRAND licences. Therefore, ‘a refusal 
by the proprietor of the SEP to grant a licence on those terms may, in principle, 
constitute an abuse. 45 This defence can be raised in infringement proceedings if 
the claimant refuses to grant a FRAND licence. There is disagreement, however, 
as to what is required for a term to be FRAND. 

To resolve the disagreement as to the meaning of ‘FRAND,’ Huawei v ZTE 
set forth a procedure that the parties must comply with to achieve a fair balance 
of interests. In elaborating on the balance, the CJEU referred to the EU Charter 
of Fundamental Rights and, in particular, to Article 17(2) on the protection of IP 
and Article 47 on the right to an effective remedy. Both rights can be invoked by 
the SEP holder against technology implementers. Surprisingly, the court ignores 
the competing fundamental rights that could play a role in rebalancing the protec- 
tion of IP. In particular, the right to conduct a business,**® the right to consumer 
protection,**’ and freedom of expression.*** Similarly, the ruling disregards that, 
whilst protecting property, the charter recognises that the law can limit it on public 
interest grounds.**° One may object that the public interest limitation is expressly 
stated with regard to property, and it is not repeated in paragraph 2 that cryptically 
provides, ‘Intellectual property shall be protected.’*4° However, the rules on prop- 
erty are increasingly applied to IP, at least by analogy.4! Luksan*” e.g. referred 
not only to Article 17(2) but also to the first paragraph of the provision, whereby 
one may be deprived of one’s possessions, if this is in the public interest. If one 
rejects the qualification of IP as property, limitations would nonetheless stem 
from Articles 52 and 54 of the EU Charter. Under the former, limitations to the 
Charter rights may be made if they are proportionate, necessary, and ‘genuinely 
meet objectives of general interest recognised by the Union or the need to protect 
the rights and freedoms of others.’*¥ In ZZ (France), the CJEU confirmed that 
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Article 52 permits limitations on the exercise of the right to an effective remedy.**> 


This right includes the right to an injunction.“ The advocate general in Huawei 
confirmed that this provision can be leveraged also to introduce limitations to IP, 
although this point was overlooked by the court.” The right to conduct business, 
consumer protection, and freedom of expression can justify limitations either as 
‘general interest’ or as ‘rights and freedoms of others.’ Under Article 54 of the 
Charter, the abuse of rights is prohibited. This doctrine is popular in civil law 
jurisdictions, and it prevents rightsholders from using their rights to impinge in 
third parties’ rights to a greater extent than provided by the law.*** This means that 
SEP holders cannot weaponise their IP to engage in activities aimed at the limita- 
tion of the Charter rights and freedoms beyond what the Charter allows.“ None 
of these considerations figure in the court’s reasoning, which — whilst declaring 
the importance of a fair balance — focused only on the proprietary interests of the 
SEP holder. Indeed, the CJEU used the Charter to argue that a high level of IP pro- 
tection and effective enforcement must be ensured. Accordingly, it held the fact 
that any use of the patent must be preceded by a license and that FRAND commit- 
ments ‘cannot negate the substance of the rights guaranteed to that proprietor.’+° 
This is not an isolated incident. A recent analysis of the EU case law has indeed 
showed that ‘Article 17(2) (is) essential in order to strengthen the discipline of 
intellectual property protection.’**! It could be said that the more user ownership 
dies, the more the right to property thrives. In an IoT world, where standards are 
vital and each comprises countless SEPs, this imbalanced stance is not socially 
just as it prevents smaller IoT business and newcomers from entering the market 
while reducing consumer freedoms. 

In Huawei v ZTE, the CJEU does not regard Article 102 as a source of funda- 
mental rights that the defendant could rely on. Instead, it regards it as the source 
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of a limited obligation for the SEP holder to ‘comply with specific requirements 
when bringing actions against alleged infringers.’** Therefore, it would consti- 
tute an abuse if the SEP holder brought an action for a prohibitory injunction or 
for the recall of products ‘without notice or prior consultation with the alleged 
infringer,’*°> regardless of whether the latter has already used the SEP. Instead of 
the flexible and balanced approach of the European Commission in Samsung*4 
and its focus on the defendant’s willingness to negotiate, the court opts for a 
rather-rigid and imbalanced step-by-step procedure that the parties are expected 
to follow to escape liability (the ‘Huawei protocol’). The steps are as follows. 


(i) The SEP holder has to alert the technology implementer of the alleged 
infringement by identifying the SEP and specifying the way in which it has 
been infringed.*° 

(ii) Itis for the alleged infringer to express its willingness to conclude a licensing 
agreement on FRAND terms.*°° 

(ii) The SEP holder has to present a specific written offer for a FRAND licence, 
in accordance with the undertaking given to the standardisation body. This 
has to include the amount of the royalty and how it has been calculated.” 
The court justifies this by noting that the SEP holder has access to previous 
agreements and is better placed to check whether the offer is nondiscrimina- 
tory.’ De lege ferenda, it would be important that transparency is ensured: 
if these agreements were to be made public, the implementer would be in a 
better position to judge which terms are nondiscriminatory. 

(iv) The implementer has to respond to the offer diligently, in accordance with 

recognised commercial practices in the field, and in good faith. Delaying 

tactics would be expression of bad faith.*°° In case of nonacceptance, the 

counteroffer must be prompt, specific, in writing, and FRAND 460 

If the rightsholder rejects it, the alleged infringer has to provide appropriate 

security to cover for the past acts of use of the SEP, and an account must be 

rendered of those acts. 

(vi) Optionally, an independent third party will be appointed to determine the 
amount of the royalties.*°! 


(v 


Sa 


It is for national courts to refer to the criteria of the so-called Huawei protocol 
‘insofar as they are relevant, in the circumstances, for the purpose of resolving 
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the dispute.’*°* The decision of the CJEU is affected by the drawbacks of the 
positions of both the European Commission and the Bundesgerichtshof. On the 
one hand, it is affected by the same lack of certainty of the former, as the cri- 
teria set forth appear to be of merely advisory nature.* This was confirmed in 
Unwired Planet v Huawei,*** where the UK Supreme Court was asked whether 
courts should refuse to grant a SEP injunction on grounds of noncompliance 
with the Huawei protocol. The Supreme Court rejected ‘the argument that the 
CJEU’s scheme was mandatory.’*® On the other hand, the ruling of the CJEU 
is affected by the lack of flexibility of the German approach, as it focuses on 
a step-by-step procedure rather than the open formula of the willingness to 
negotiate. On a positive note, Huawei v ZTE shows that the ‘exceptional cir- 
cumstances’ required by the essential facility doctrine**® do not apply to SEP 
licensing, which means that, compared to the IP-competition conflict resolved 
under Volvo,**’ Magill,* and IMS Health,’ the defendant is more likely to 
escape liability. This is important because the essential facility doctrine requires 
the identification of a new product that could be produced by accessing the 
facility, but in IoT markets that rely on large quantities of industrial data, it 
is extremely difficult for the potential licensor to even imagine what the new 
product would look like. Indeed, to imagine it, they would need access to the 
IoT data that constitute the essential facility.4” 

As the case law stands, Huawei has ‘blunted the sword of antitrust law,’*”! and it 
is not by chance that, after Huawei, the European Commission has not intervened 
to temper patent abuses. This is in line with the Competition Commissioner’s 
statement whereby ‘the best way to solve those issues is sometimes to change the 
regulations, not to apply the competition rules.’*”” This stance further strengthens 
the case for the need of an EU harmonisation of patent law to set forth a single and 
balanced framework for SEP licensing without the need for competition law inter- 
ventions that do not appear to be fit for the IoT. Such a harmonised framework 
would centre on the adoption of the ‘willingness to negotiate’ doctrine, the clear 
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definition of FRAND terms, and the streamlining of exceptions, ideally modelled 
on fair use. 

Future research should critically assess if the Competition Commissioner’s 
caution is to be applauded, considering how national courts are interpreting Hua- 
wei. At a cursory look, it would seem that domestic approaches are converging 
in assuring a pro-proprietary application of Huawei. The UK Supreme Court in 
Unwired Planet declared English courts’ jurisdiction to determine a FRAND 
global licence for a multinational SEP portfolio. An approach sensitive to the 
necessity to strike a balance between IP and competing interests would have led to 
the clarification that the market value should not be the be-all and end-all of roy- 
alty determination when SEPs are involved. Instead, the Supreme Court imposed 
‘fair market price’? to technology implementers.*” The pro-monopolist favour 
is also confirmed by the fact that the court regarded damages inadequate, opting 
for an injunction — a discretionary remedy that constitutes an indirect form of 
specific performance.*”> They did so on the untested assumption that compensa- 
tion would give implementers an incentive to hold out country by country until 
compelled to pay damages in each country.*”° This preference for ‘property rules’ 
(injunction) over ‘liability rules’ (damages) well illustrates the imbalance of the 
SEP framework.*” Similarly, Germany’s Supreme Court*’® held that (i) a will- 
ing licensee is one who is willing to accept a license on FRAND terms, however 
FRAND may be construed, and (ii) nondiscriminatory does not mean that the 
rate should be the same as previous comparable agreements. Finally, in the Neth- 
erlands, the Court of Appeal of The Hague granted injunctions allowing Philips 
to stop alleged infringements by Asus and Wiko and reiterated that the Huawei 
protocol is not binding.*” 
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Despite these shortcomings, the Huawei approach was endorsed by the Euro- 
pean Commission in its Communication ‘Setting out the Approach to Standard 
Essential Patents,’**° and it has been welcomed by those scholars who see it as 
satisfying ‘in an effective manner the interests of all stakeholders.’**! In general, 
the Commission follows Huawei in refusing a one-size-fits-all approach, which 
leaves an important role for national courts. In practice, this is leading to SEP 
overprotection. 

The first pillar of the Commission’s framework is transparency. Technology 
implementers — including companies wishing to enter the IoT market — can hardly 
predict their exposure if they cannot easily access information about the existence 
and scope of SEPs. Ironically, SEP databases held by standard-developing organ- 
isations are not standardised and lack transparency. The main standards are cov- 
ered by hundreds of thousands of SEPs held by dozens of parties.**? Uncertainty 
stems also on the fact that ETSI members can submit their declarations of essenti- 
ality before the actual grant of the patent, which may ultimately not be granted. As 
a consequence of this overdeclaration issue, the ‘current declaration practices do 
not convey reliable information on the essentiality of declared patents.’**? Essen- 
tiality is self-assessed, without external scrutiny. Nor is clarity provided at the 
licensing stage. The Commission notes that this is especially problematic in the 
context of IoT, where new players with little experience of SEPs licensing are 
‘continually entering the market for connectivity. 434 Therefore, the Commission: 


(1) Called on standard-developing organisations to improve the quality of their 
databases by making them user-friendly, searchable on the basis of the stan- 
dardisation project, synchronised with patent offices’ databases.*®> 

(ii) Called on these organisations to transform the current declaration system 
into a tool that provides up-to-date and precise information in a way that 
helps technology implementers assess patent infringement exposure; 

(iii) Committed to the launch of a pilot project for SEPs in selected technologies 
with a view of facilitating the introduction of an appropriate mechanism to 
scrutinise their essentiality to a standard.**° 


The second pillar is a framework for FRAND licensing. The Commission’s start- 
ing point is that the parties are best placed to achieve a common understanding 
of what is a fair rate. This consensus is hindered by conflicting interpretations 
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of ‘FRAND, especially in the IoT sectors, where ‘[d]ivergent views and litiga- 
tion over FRAND licensing risk delaying the uptake of new technologies.’*8’ To 
overcome this, the Commission invites negotiating parties to consider efficiency 
considerations, mutual expectations, and importance of the uptake by implement- 
ers to promote the diffusion of the standard. Worryingly, the Commission takes 
a pro-monopolist stance that seems even more extreme than the CJEU’s. Indeed, 
the value to consider is not the market value: it is the nebulous concept of ‘value 
added of the patented technology (which is) irrespective of the market success 
of the product.’*8 Nonetheless, the Commission seemed aware that this liberal 
approach of leaving the FRAND determinations to party autonomy does not work 
in the IoT, due to its complex supply chain and imbalanced relationships. Accord- 
ingly, it called on standard-developing organisations and SEP holders to develop 
effective, transparent, and predictable solutions ‘to facilitate the licensing of a 
large number of implementers in the IoT environment,’**? via patent pools or 
other licensing platforms.*?° Meanwhile, it committed to monitor licensing prac- 
tices, in particular in the IoT sector. 

The third pillar is a predictable enforcement environment. SEP patents are 
more litigated than regular patents, and this can result in barriers to entry.*?! This 
is particularly true for IoT stakeholders that report that ‘uncertainties and imbal- 
ances in the enforcement system have serious implications for market entry.’4°? 
Once again, the Commission prefers to leave the solution to party autonomy on 
the premise that good faith will be a guiding principle and that injunctions can be 
granted against implementers in bad faith. Leaving aside the limited role of good 
faith in common law jurisdictions,” this approach has four shortcomings. First, it 
ignores that the corrective virtues of good faith are of limited relevance in the con- 
text of imbalanced business-to-business relationships that are commonplace in the 
IoT, especially if the implementer cannot enter a market without using a SEP. 
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Second, the Unwired Planet ‘saga has shown that different views on the way the 
parties should negotiate are always just around the corner.’ Therefore, it is hard 
to understand why the Commission, the CJEU, and national courts share the view 
that parties to a SEP licensing agreement are in the best position to determine the 
terms that are most appropriate for their specific situation. Third, it disregards that 
implementers may be in good faith and yet infringe e.g. because the SEP holder is 
unilaterally imposing unfair ‘FRAND’ terms or because they cannot afford to pay 
the market value or the added value for each of the thousands of patents that are 
declared essential to a standard. Fourth, it lacks detail with regard to the ‘precise 
terms of FRAND licensing and the exact meaning of good faith.” This means 
that FRAND terms will be determined in a fragmented way, patent holder by pat- 
ent holder, patent by patent, usually in separate proceedings: this can harm the 
IoT ‘as technology convergence continues to impact standardisation in key areas 
such as next-generation wireless communication and the Internet of Things.’4?’ 
The Commission declared that it would improve the enforcement environment 
by working ‘with stakeholders to develop and use methodologies, such as sam- 
pling, which allow for efficient and effective SEP litigation.’ This confirms the 
coregulatory preference of the EU, the dangers of which have been underlined in 
Chapter 1. The statement also corroborates the idea that the Commission wants to 
achieve an ‘efficient and effective’ outcome as opposed to a balanced outcome.*”” 
Imbalanced efficiencies are likely to come from implementers passively accept- 
ing FRAND terms and injunctions being given the antitrust green light. This can 
also be seen in the Commission’s ambiguous treatment of the concept of open 
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source. On the one hand, it recognises that open source is important to improve 
standard development, standard take-up, and interoperability. On the other hand, 
it concludes with the concerning notation whereby we need to ‘pay attention to 
the interaction between open source community projects and (standardisation)? 5% 
due to the divergences between the former and the latter in terms of IPR policies 
and balance. It is this book’s conviction that, as opposed to looking at free and 
open-source Things with scepticism or even hostility, open-source community 
projects should be convincingly supported — in them lies the hope to take back 
control of the IoT. 

This area of law will have to be kept under observation as changes are in sight. 
At the end of 2020, the European Commission published its JP Action Plan,! 
where it declared that new technologies such as the IoT provide an opportunity to 
modernise the IP framework by intervening in five areas. These include the pro- 
posal for action to ‘facilitate access to and sharing of intangible assets while guar- 
anteeing a fair return on investment.’*°* The Commission implicitly admits that 
the Communication ‘Setting out the Approach to Standard Essential Patents’>° 
was not a success as ‘[d]espite the guidance provided in the SEPs Communica- 
tion . . . some businesses continue to find it difficult to agree on SEP licensing,’ 
as agreeing on what is fair remains controversial. However, instead of learning 
from its own mistakes (the focus on self- and coregulation as well as on party 
autonomy), the Commission reiterates that, at least in the short term, the solu- 
tion will be provided by industry-led initiatives. Positively, reforms will be con- 
sidered, including third-party checks on whether the SEP declarations actually 
regard ‘essential’ patents. Hopefully, the reform will include a harmonisation 
of patent laws, including SEPs licensing and streamlining of IP exceptions, so as 
to rebalance the IP framework, currently tilted in favour of monopolists and deaf 
to the arguments of fairness. 

Overall, competition law appears to be an ineffective tool in the regulation of 
the IoT and in curbing the underlying power imbalance. This was confirmed in 
June 2021, when the Commission published the initial findings of its inquiry into 
the consumer IoT sector. The respondents reported difficulties in compet- 
ing with vertically integrated companies, such as Amazon, Google, and Apple, 
which have built their own ecosystems within and beyond the consumer IoT 
sector. In particular, they complained about (i) exclusivity and tying practices; 
(ii) big tech role as bottlenecks controlling user relationships; (iii) use of data by 
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voice assistant providers not only to improve the market position of their general- 
purpose voice assistants but also to allow them to leverage more easily into adja- 
cent markets; and (iv) ‘the prevalence of proprietary technology, leading at times 
to the creation of “de facto standards”, together with technology fragmentation 
and lack of common standards, raise concerns as to the lack of interoperability.” 5% 
Unlike ownership, property is alive and well, and it prevails on those ‘official’ 
standards that — overburdened with SEPs and not helped by the lack of decisive 
antitrust interventions — struggle to play a meaningful role in the realisation of an 
interoperable and open IoT. 


6.7 Interim Conclusion 


‘Smart’ capitalism equates rentier capitalism. Increasingly, IoT companies lever- 
age their intangible assets — and their integration in proprietary hardware — to 
impose monopolistic prices, inaccessible barriers to access, and behavioural con- 
straints, thus harming newcomers, consumers, and society as a whole. The death 
of ownership is the chief manifestation of the underlying imbalance of power. In a 
way that, on the face of it, would resemble medieval times, we exercise our rights 
on ‘our’ property subject to the control of the digital lords. However, as the col- 
lective interest and reciprocal duties played an important role in limiting property 
in the feudal system, the real precursor of the current state of things ought to be 
found in the individualist outlook of bourgeois society. Under IoT capitalism, the 
death of ownership does not amount to a death of the right to property, which has 
never been stronger, at least in its IP species. Hypertrophic IP portfolios held by 
few multinational IoT corporations are a threat both to individual ownership and 
to the commons. This is well illustrated by the phenomenon of IP overlaps and 
by the prevalence of patents on competition in the context of FRAND licensing. 
In the IoT, IP overprotection and the death of ownership are the result of a 
combination of overlapping IPRs and corporate control over the Thing exer- 
cised by factual, technological, and legal means. IP overlaps hamper any attempt 
to rely on IP’s internal limitations to protect the IoT user. For instance, an act 
that falls under a copyright exception (e.g. reverse engineering) may qualify 
as infringement under patent law. My recommendation to courts is to leverage 
European fundamental rights — mainly freedom of expression and prohibition 
of abuse of rights — to (i) interpret existing exceptions as user rights that are of 
equal standing as the IP holder’s rights; (ii) recognise an autonomous, open- 
ended defence along the lines of fair use in the US. As IPRs become ubiquitous 
and sterilise IP exceptions, the case for a fair use approach has never been more 
convincing. Such an approach would allow the public interest to play more of 
a role in IP governance, and it would make sure that the IoT unleashes its sus- 
tainability potential. A more generous approach to exceptions would be robustly 
grounded in the ECHR jurisprudence that regards IP as an exception to human 
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rights, and the CJEU freedom-of-expression-driven jurisprudence. Should a 
flexible approach be rejected, a second-best solution would see EU lawmakers 
streamlining existing defences across the different IP subsystems to make sure 
that they are framed explicitly as user rights, as well as being mandatory, bind- 
ing, and covering commercial and mixed purposes. 

Private power, including the power of IoT platforms and consortia, is the tra- 
ditional domain of competition law interventions. In the IoT, the [P-competition 
conflict is mainly resolved through the qualification of SEP holders’ actions as 
an abuse of dominant position. Regrettably, the CJEU took an imbalanced, pro- 
SEP holder stance that has been worsened by national courts. Rather than the 
flexible pro-competitive approach taken by the Commission in Samsung, a rigid 
and pro-proprietary, step-by-step protocol has prevailed in Huawei v ZTE and its 
aftermath. The Commission has unquestioningly accepted this new turn and, in 
keeping with its coregulatory preference, is leaving to public and private stake- 
holders to codefine a licensing and enforcement framework that revolves around 
party autonomy and good faith. These are unlikely to work in the IoT, with its 
complex supply chain, the abundance of players that are new to the technicalities 
of SEP licensing, and its ubiquitous power imbalance. One can only hope that the 
Commission takes a braver approach and adopts a binding instrument that would 
harmonise patent law in the EU, thereby embracing the willingness to negotiate 
as a more flexible method and clearly defining FRAND terms as opposed to leav- 
ing the definition of fairness to market dynamics. As things stand, similarly to 
Ricardo’s and Marx’s rentiers that would exploit their monopoly power over the 
land to impose a rent that was a monopoly price, SEP owners aggressively patrol 
the gates to IoT innovation and seek monopolistic rents in the form of licensing 
fees that are only nominally fair. 

IP law and competition provide an unsatisfactory solution to the death of own- 
ership. This is partly due to the increasing influence of private superpowers. 
Thanks to them — and to the lawmakers that accommodated their demands — IP 
has become pervasive and imbalanced, whilst market forces no longer erode their 
monopolies.*”’ Antitrust itself has not yet developed adequate ways to address data 
power, with the end result that both internal and external limitations are unlikely 
to play an effective role in rebalancing IoT relationships, at least if relied upon 
in isolation. Legal arguments based on exceptions and competition have failed, 
but where the law fails, collective action may succeed. Free and open source, 
open hardware, open data, and open standards — in a word, the commons — may 
provide the opportunity to organise new forms of resistance and address the IoT 
struggle.°°8 This will be the ambitious task of the next chapter, which will attempt 
to draw some conclusions. 
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Conclusion 


When the Law Fails Us: The Commons for 
a Collectivised and Open IoT 


The product ceases to be the direct product of the individual, and becomes a social 
product, produced in common by a collective labourer. 
Marx, Das Kapital (2) 


In the three years and a half that have passed since I started writing this book, 
much has changed. Pandemics, overthrowing of dictators, secessions, and anti- 
racist uprisings have been affected by increased access to the internet and digital 
technologies, leading to the wider adoption of connected devices, to more infor- 
mation being shared online, and to more action being organised in a continuum 
between the cyber and the physical.! 

In this world where information and action have become progressively 
more intertwined, and where the online-offline divide is a thing of the past, 
the IoT is destined to be one of the protagonists of our times. As such, under- 
standing this sociotechnological phenomenon and its laws is pivotal to the 
comprehension of internet governance more generally, its recent trends, and 
its main challenges. 

Not having reached technological maturity when I commenced this book, the 
IoT is now past its hype as there are an average of five Things per person global- 
ly.” Surprisingly, the ubiquity of the IoT has not led to an augmented scrutiny by 
legal scholars, unlike more popular phenomena, such as AI and the blockchain. 
With the recent publication of A Commercial Law of Privacy and Security for the 
Internet of Things by Stacy-Ann Elvy,’ alongside this book, I hope for a renewed 
interest in and wider discourse around the IoT. 

To regulate capitalism has always been an onerous task as capital routinely find 
ways to either sidestep regulation or to influence the drafting of the rules. In the 
IoT, the former has been rendered possible by laws that were already obsolete 
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when they were adopted as they relied on untenable binaries (hardware-software, 
good-service, personal-nonpersonal, online-offline), by the difficulty to pin down a 
definition of the phenomenon, and by some of its core characteristics — namely, its 
sectoral fragmentation, relational black box, and global nature. The latter strategy 
has been traditionally pursued through organised lobbying aimed at preventing the 
passing of legislation or at watering it down. While this still stakes place, more 
refined tactics include the support to coregulation and self-regulation, in particular 
by means of ‘ethical’ initiatives and regulation ‘by design.’ While often praise- 
worthy, these soft approaches do not provide sufficient incentives for IoT corpora- 
tions to change their behaviour and adopt more responsible, open, human-centric, 
and socially just practices. Ethics, design, self-regulation, and coregulation have to 
complement a core of hard laws and regulations that need updating to take account 
of the non-binary nature of the IoT as well as of the novel risks that come with it. 
To account for the IoT’s sectoral fragmentation, relational black box, and global 
nature, these laws will have to be implemented by multiple regulators and on mul- 
tiple levels in a coordinated fashion. To this end, we do not need an ‘IoT Act’ or 
a specific IoT authority. Rather, I have proposed the setting up of International 
Regulation Coordination Organisation for the IoT (IRCOIOT) to bring together 
existing horizontal and vertical regulators in a cross-sector and cross-border way. 

The changes in substantive law need to be evidence-based; notably, they have 
to start from a thorough understanding of the sociotechnological dimension of the 
IoT. To do so, the IoT must be first framed as a subcategory of the internet: IoT 
and internet share similar issues in terms of software, service, data, concentration 
of power, and extraterritoriality. At the same time, the IoT differs due to the role 
played by the Things within it. The physicality is crucial in the sense of account- 
ing for both the hardware component of the Things and the action that the latter 
perform on the physical world. This is not to say that the internet does not have a 
physical dimension. In fact, the physicality has only a more visible role in the IoT, 
with its injection of connectivity, sensors, and actuators in every object around, 
on, and in us. One would misrepresent the internet should one overlook the impor- 
tance of its tangible dimension, as exemplified by the issues around the ownership 
of the undersea cables, access to the servers, etc. 

The hybrid (cyber-physical) nature of the IoT — and to some extent of the 
internet - has implications as to private power and territoriality. While in the late 
nineties power became extraterritorial as it could move with the speed of the elec- 
tronic signal, as Bauman put it,* with the IoT power becomes fluid as it is both 
territorial and extraterritorial at the same time. To define the boundaries of the IoT 
is pivotal to assessing how existing laws apply to it and whether new laws should 
be introduced. While I accept that there will always be a degree of discretion in 
any definitory attempt, I propose to account for both dimensions of the Thing 
by defining it as an inextricable mixture of hardware, software, service, digital 
content, and data with (inter)connectivity, sensing, and actuating capabilities and 
interfacing the physical world. 


4 Zygmunt Bauman, Liquid Modernity (Polity Press; Blackwell 2000) 10-11. 
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While understanding the technology behind connectivity, sensing, and actuat- 
ing is a necessary prerequisite for good regulation and legal analysis, technology 
should be considered in its social and even political dimension. To frame the IoT 
as a sociotechnological phenomenon means to explore the role of IoT compa- 
nies as rule-setters and to critically assess the relationship between their private 
ordering and the law, at least in its traditional version of democratically created 
tules. At the end of 2020, the European Commission presented the Digital Ser- 
vices Package. For the first time, the Commission expressly acknowledged that 
‘a few large platforms . . . act as private rule-makers’> and that these gatekeepers 
circumvent the law by ‘contractual, commercial, technical’® means. The package 
recognises the role of the terms and conditions (and other ‘legals’)’ in regulating 
business-to-consumer relationships and in ‘contracting out’ legal requirements.’ 
Positively, it states that the law should be able to limit big tech contractual power 
in the interests of transparency, consumer protection, and fairness.’ This confirms 
my initial methodological option to illuminate the consumer issues in the IoT by 
analysing the legals of one of its main gatekeepers, i.e., Amazon. As Langdon 
Winner would put it,!° technological artefacts have politics, and to understand 
the politics of the IoT, one needs to focus on its private ordering, starting from its 
contracts. 

The exploration of Amazon’s contractual quagmire left me baffled as no one 
would expect that the use of a simple product such as a speaker ends up trigger- 
ing a complex web of 246 legals, which are difficult to find and read, let alone 
understand. The low readability coefficient of the legals, their length, and the fact 
that they are scattered around the web rather than systematically grouped are only 
some of the reasons that render it impossible for IoT users to fully comprehend 
the relationship to the company as well as the risks and obligations associated to 
the use of the Thing. The lack of transparency is also due to the fact that Amazon 
relies on hundreds of subsidiaries and affiliates who are responsible — and liable — 
for some of the functionalities and services incorporated in the Thing. Two com- 
mon, and concerning, characteristics of the contractual quagmire are that one can 
hardly identify the contractual parties — which adversely affects the possibility to 


5 ‘The Digital Services Act Package’ (European Commission, 26 April 2021) <https://digital-strategy. 
ec.europa.eu/en/policies/digital-services-act-package>. Emphasis added. There is a growing body 
of literature that reflects on the role of private legislators of platform operators in this ‘new 
technologically-supported centrally planned economy’ (Christoph Busch, ‘Regulation of Digital 
Platforms as Infrastructures for Services of General Interest’ (2021) 09 9.). 

6 Proposed Digital Markets Act, art 11(1). A gatekeeper is a provider of a core platform service 
which serves as an important gateway for businesses to reach end users (e.g. search engine), pro- 
vided that it has significant impact on the internal market, as well as enjoying an entrenched and 
durable position (arts 2(1)(2), and 3(1)). 

7 Indeed, the proposed Digital Services Act defines terms and conditions broadly as ‘all terms and 
conditions or specifications, irrespective of their name or form, which govern the contractual rela- 
tionship between the provider of intermediary services and the recipients of the services’ (art 2(q)). 

8 Proposed Digital Services Act, art 12(1). 

9 Proposed Digital Services Act, recital 38 and art 12(2). 

10 Langdon Winner, ‘Do Artifacts Have Politics?’ (1980) 109 Daedalus 121. 
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successfully bring an action — and the fluidity of the contractual subject matter. 
Some legals purport to regulate the Thing by separating its hardware, software, 
service, and data components, but the way these components are on each occasion 
(re)defined — often by qualifying as ‘service’ what would normally count as soft- 
ware, data, or hardware — confirms the initial thesis that Things are an inextricable 
mixture of these components. 

The practices exemplified by the contractual quagmire of Amazon are by no 
means specific to this company or to the IoT but are particularly pernicious in 
this context due to the fact that the Things’ ubiquitous sensing and actuating 
capabilities — and their being weaved in the fabric of virtually any object and 
environment, to the point of disappearing — worsen consumer vulnerabilities and 
empower IoT companies to exploit them. Based on my analysis and on my experi- 
ence of discomfort while mapping and studying the legals, my recommendation 
is that these companies apply web design principles to the legals, namely, the 
principle of least astonishment, whereby ‘[i]f a necessary feature has a high aston- 
ishment factor, it may be necessary to redesign the feature.’!' This will mean to 
redesign the legals to reduce their number, group them in one place, increase their 
readability, decrease their length, improve their clarity, consistency and fairness. 

The study of these legals — coupled with other ‘law in context’ methods, including 
subject access requests, interactions with customer advisers, and autoethnography — 
led me to the identification of some major consumer issues in the IoT. In assessing 
whether the law can play a role in tackling these issues, I started off from traditional 
consumer law, namely, those laws that apply exclusively to business-to-consumer 
relationships, be they contractual or noncontractual. I then embraced a looser con- 
cept of consumer law and critically assessed the role of data protection and IP. 

First, I considered that the contractual quagmire itself — regardless of the con- 
tent of the legals — is a fundamental threat to consumers. The fact that, by using a 
Thing, consumers are forced to accept a plethora of poorly designed and incom- 
prehensible legals struck me as something that the Unfair Terms Directive would 
tackle. In light of the complexity of the IoT and of the imbalances in terms of 
power and information, this directive imposes on IoT companies more stringent 
requirements of fairness, with a particularly urgent need to rethink the IoT legals 
to make them easy to find, read, and understand. While legal design approaches 
can be useful, it is important that they are not left to the company’s discretion. 
EU regulators may learn from the US counterparts and introduce obligations to 
draft ‘legals’ that reach at least a Flesch-Kincaid readability score that reflects 
the literacy and cognitive resources of the average IoT user. In choosing the best 
way to make IoT legals fairer, regulators and policymakers should become aware 
of what I called the ‘hierarchy of incentives.’ This means that IoT companies are 
more likely to improve their legals in response to public pressure, less likely to do 
so in response to financial incentives, and unlikely to do so if purely motivated 
by the goal of protecting those consumers who ‘pay’ for the Thing with their 
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personal data. While keeping public pressure high on IoT companies’ contractual 
practices is of the utmost importance to achieve a fairer ecosystem, any inquiry 
into these practices should take account of the specific characteristics of the con- 
tractual quagmire. For example, enforcement actions or inquiries that target some 
contracts in isolation, thus overlooking the relationships with the other contracts 
in the quagmire, would be unlikely to achieve their purposes. The analysis of 
the relation between the contractual quagmire and the Unfair Terms Directive 
generated also new learnings about the role of this directive in the digital world 
more generally. Indeed, this regime is predicated on the form-substance binary. 
Conversely, unfairness of form can lead to unfairness of substance, and the oppo- 
site is also true, to the point that the dichotomy becomes untenable. Additionally, 
the IoT is a reminder that unfairness is to be assessed at the systemic level, not 
analysing individual terms in vitro. Individual terms as well be per se fair, there is 
no doubt that one needs to consider the interrelations within the web of contracts: 
to submerge the consumers with thousands of legals that are impossible to find, 
read or understand is in itself unfair and will contribute to findings of unfairness 
of otherwise-fair individual terms. 

Second, I explored the realm of private ordering ‘by bricking,’ that is, the IoT 
company’s ability to remotely monitor consumers and automatically downgrade 
the Thing, discontinue the service, remove functionalities, determine the lifespan 
of the Thing, and even deactivate or ‘brick’ it. I put forward the argument that 
many of these bricking practices can be regarded as a lack of conformity under 
sale of goods law and that the right to repair can be interpreted as a right to have 
the ‘smartness’ of the Thing restored. This is all the more true now that the Second 
Consumer Sales Directive has passed its transposition deadline and that it has 
been paired with the Digital Content Directive. At a first examination, the reform 
is loT-friendly. This can be seen in the introduction of the category of ‘goods with 
digital elements,’ whose definition broadly coincides with that of a Thing. The 
main issue with the reform is that there is the risk that certain Things will fall in 
a regulatory vacuum. If the digital element is necessary for the good to function, 
the Second Consumer Sales Directive will apply. If the tangible aspect is the mere 
carrier of the digital element, the Digital Content Directive will. There remains a 
grey area between the two poles and future research will need to assess whether 
national implementations are dealing with it appropriately. 

Third, I looked at ‘IoT-commerce’ and in particular at the challenges that an 
interface-free, hyperconnected environment poses to precontractual duties of 
information. The general rule to inform consumers in a clear and intelligible man- 
ner should be interpreted in creative ways that go beyond the traditional terms of 
service available on the company’s website. In an IoT world where there is a rise 
of voice-user and video-user interfaces, consumers should be given information 
in the same format as the one that is usually utilised to interact with the Thing 
(namely, audio or video). This principle, which I called ‘interface continuity,’ is 
emerging from both consumer contracts laws and data protection laws. However, 
its full implementation is hindered by the legibility requirement that the Con- 
sumer Rights Directive set forth for some online transactions. This requirement 
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clearly presupposes a written text paradigm and should be abandoned to make the 
directive future-proof. De lege ferenda, special provisions should be introduced 
for when transactions are concluded through interface-free Things. 

While the significance of contracts should not be underestimated, it is of the 
utmost importance to comprehend how power imbalance and new extractive prac- 
tices shape up beyond or regardless of a contractual nexus. Moreover, information 
and transparency — the traditional pillars of consumer contract law — are not the 
only thing that matters to IoT end users. With this in mind, I framed the noncon- 
tractual consumer issues in the IoT as issues of vulnerability — both of Things and 
of the human beings that use them: the former affects the latter, and vice versa. 

With this in mind, the fourth consumer issue I explored was the vulnerability of 
Things. In particular, I zoomed in on product liability law, which was conceived 
for tangible products and mechanical or chemical defects. On the face of it, this 
is at odds with mixed hardware-software products, whose defects are often intan- 
gible (e.g. software updates, inaccurate sensor data, etc.). The Product Liability 
Directive has been influential as a model for product liability laws around the 
world, but in recent years it has been only seldom enforced. I would argue that the 
IoT provides an opportunity to rethink the concept of product as an amalgam of 
hardware, software, service, and data. More inclusive interpretations of the scope 
of the Product Liability Directive may, in turn, see the revival of this oft-forgotten 
legal regime. While it is possible to future-proof the law by interpretative means, 
in the interest of legal certainty, it would be important to expressly redefine the 
concept of product to expressly include software — regardless of whether it is 
embedded in a tangible medium — as well as service and data. Similarly, intan- 
gible defects and postsale defects should be accounted for. Otherwise, the pros- 
pect of the harm coming from defective Things may reduce consumer trust in the 
IoT. The review of the directive is ongoing, and hopefully it will overcome those 
binaries that the IoT is disrupting, such as product-service, hardware-software, 
and cybersecurity-security. 

Fifth, I critically evaluated the impact of the ‘Internet of Personalised Things’ 
on human vulnerability, The granular, situational, and often sensitive data col- 
lected by Things and their ability to follow the consumer and target them at the 
best time and in the best context allow IoT companies to personalise ads, prod- 
ucts, prices, and even terms of service. These features can be exploited for nefari- 
ous reasons, including manipulation and discrimination. This is in line with the 
fact that capitalism itself revolves around the manipulation of workers to cre- 
ate new needs, in particular selfish ones. Capitalism manipulates needs in that 
it creates consumption needs which silence those deeper needs that shape the 
human personality and hinder the valorisation of capital, e.g. the need for free 
time. Free time and authentic needs are appropriated and manipulated by IoT 
companies — ‘smartness’ becomes the ultimate neoliberal tool to make us ‘dumb.’ !? 
It is no accident that vulnerability has become a key common trait that Things 
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and humans share. I argued that at least some of the practices that fall within the 
scope of the Internet of Personalised Things can be regarded as running coun- 
ter to the Unfair Commercial Practices Directive. However, as this directive is a 
neoliberal instrument focused on the economic dimension of the consumer and 
on the internal market, its response to IoT-enhanced consumer manipulation is 
not entirely satisfactory. In the age of ‘cyborg consumers,’ the IoT becomes ‘a 
space whose organisation does not require lawyers since it does not need any 
laws different from the de facto power of the smartest.’!? If the law is supplanted 
by engineering and self-programming Things, one can doubt that we can still do 
something to force our values upon the capitalist project. 

The profit-maximising function of manipulation, an individualistic outlook 
on life, and the limited role of the law in constraining capital are only some of 
the features that industrial capitalism shares with IoT capitalism. This appears 
with clarity when analysing a sixth consumer issue in the IoT, namely the ‘Inter- 
net of Loos.’ As Things collect data in our most intimate spaces, including the 
home and the body, one should question whether IoT users retain any reasonable 
expectation of privacy. In this sense, the IoT challenges also the private-public 
dichotomy. If data is the main commodity in the IoT market, then IoT users are 
to be regarded as unwitting workers and the manifold corporate strategies to 
appropriate data are to be considered as a form of digital dispossession. In line 
with Shoshana Zuboff’s theory of surveillance capitalism,'* my study confirms 
that the violence of dispossession is not limited to a pre-industrial capitalism 
stage: digital dispossession is a continuous process, and in the IoT disposses- 
sion is no less violent than pre-industrial dispossession: it is only better hidden. 
A subtle way IoT capitalists utilise to disposses data is to take steps to keep the 
data secret or to aggregate it with existing trade secrets. To find a solution to this 
problem, one needs to grapple with conundrum of the twofold nature of data, at 
once the object of fundamental rights and an asset to monetise. To do so, I con- 
sidered how the Trade Secrets Directive and the GDPR deal with the potential 
conflict. This presupposes the debunking of two myths: that IoT data cannot 
be the object of trade secrets and that the GDPR does not apply to IoT data. 
IoT data can be and is kept secret, as confirmed by Amazon’s response to my 
subject access request, which left out crucial information related to inferential 
data and affective computing. Equally, denying that IoT data is personal data 
presupposes the acceptance of a personal-nonpersonal dichotomy that the IoT 
contributes to render untenable. Even raw, aggregated, and anonymised data can 
be recombined and traced back to the identifiable individuals, especially when 
sensitive data is included and Al-powered mining techniques are used. Whilst 
the Trade Secrets Directive is of little help, the GDPR deals with the conflict in 
a mysterious recital, about the right of access: 
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That right should not adversely affect the rights or freedoms of others, includ- 
ing trade secrets or intellectual property and in particular the copyright pro- 
tecting the software. However, the result of those considerations should not 
be a refusal to provide all information to the data subject.'> 


This has been often read by companies as justifying blanket rejections of subject 
access requests where there is the potential for IP to be affected. Instead, I put for- 
ward that all GDPR rights and obligations still apply (e.g. information, data pro- 
tection by design, etc.) and that even the right of access itself applies. Indeed, on 
closer inspection, this is a quadripartite right that is subdivided into (i) a right to 
obtain confirmation as to whether personal data is processed; (ii) a right to obtain 
information about some key features of the processing; (iii) a right to access the 
data that is being processed; and (iv) a right to obtain a free-of-charge copy of 
the data. Trade secrets can limit only this fourth right, not the right of access as 
a whole. In practice this will mean that IoT companies that appropriate data can 
use trade secrets to justify why they do not offer a self-service facility for users 
to download their data. Otherwise, IoT users should be able to count on the full 
armoury of the GDPR to counter digital dispossession. 

It would be hasty to conclude that the GDPR can be regarded as anticapitalis- 
tic instrument solely because it can play a role in tackling of the most insidious 
practices of IoT capitalism. It would be hasty to conclude that the GDPR can be 
regarded as anticapitalistic instrument solely because it can play a role in tackling 
of the most insidious practices of IoT capitalism. Quite the opposite. For exploita- 
tion to take place, capitalists need a sufficient quantity of labour power. To this 
end capital makes sure that workers can maintain themselves (typically through 
wages) ‘so that they will be available for future exploitations.’'° The GDPR gives 
the new ‘smart’ proletariat of IoT users / data producers some rights that can be 
relied on to reacquire some control over the data. In doing so, it allows us data 
subjects / unwitting workers to maintain ourselves, thus being available for future 
exploitations. In this sense, both the GDPR and the IoT are neoliberal weapons 
that enable the perpetuation of surveillance capitalism. 

The final issue analysed in this book is the death of ownership. We are digital 
tenants, as opposed to owners, of our Things for two reasons. First, the ‘death’ 
may be related to the shift from the sale contract to the subscription — in the ‘sub- 
scription economy,’ we never formally own our Things. This may be for good 
reasons, e.g. sustainability in the circular economy, but it does adversely affect the 
protections that the law affords consumers. Second, ownership dies when users 
formally buy a Thing, but IoT companies retain factual, legal, and technical con- 
trol over it throughout its life cycle. This trend has been seen as sort of return to 
medieval times, when peasants did not own the land they worked; they merely 
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managed it on behalf of the lord. Related to the power imbalance epitomised by the 
death of ownership, the lord would be entitled to the infamous yet never proved 
ius primae noctis. The idea that IoT users have become digital peasants as the IoT 
company retains full postsale control over the Thing is a powerful metaphor, and 
it does contribute to the understanding of an actual problem. However, it seems to 
be predicated on the idea of current capitalism being radically different to indus- 
trial capitalism — a capitalism of the origins that was good as it tackled the medi- 
eval problem of the death of ownership by celebrating private property. However, 
I believe that there is a lot to be learned from land management in medieval times 
and that industrial capitalism is at the root of the current issue. The collective 
interest and reciprocal duties played an important role in limiting property in the 
feudal system — such limitations on the altar of the collective interest are what is 
missing in the current laws that fail to regulate the IoT. The real precursor of the 
current state of things ought to be found in the individualistic outlook of bour- 
geois society. In fact, the death of ownership does not equate the death of the right 
to property, which has never been stronger, at least in its IP species. Hypertrophic 
IP portfolios held by few multinational IoT corporations are a threat both to indi- 
vidual ownership and to the commons. This can be inferred by the phenomenon 
of IP overlaps and by the prevalence of patents on competition in the context of 
FRAND licensing. 

Every component of ‘our’ Things is covered by some IPR. IP overlaps are 
caused by the creation of new types of subject matter eligible for protection, wider 
exclusive rights, and novel IPRs. This tendency should be read jointly with the 
increase in cases that interpret IP exceptions narrowly. Thus, IP overlaps hinder 
the ability to rely on IP exceptions and limitations to counter the death of owner- 
ship. When IPRs overlap, the stricter regime will prevail on the more permis- 
sive one. An act that falls under a copyright exception (e.g. reverse engineering) 
may qualify as infringement under patent law. These rights converge on the same 
Thing and may be held by the same IoT company. Accordingly, the latter will 
attempt to regard as infringement virtually any activity of the end user, regardless 
of the fact that in principle these activities would be lawful, as covered by an IP 
exception. My recommendation to courts is to leverage European fundamental 
rights — mainly freedom of expression and prohibition of abuse of rights — to (i) 
interpret existing exceptions as user rights that are of equal standing as the IP 
holder’s rights and (ii) recognise an autonomous, open-ended defence along the 
lines of fair use in the US or the Japanese open exception. As IPRs become ubiq- 
uitous and sterilise IP exceptions, the case for a fair use approach has never been 
more convincing. 

The point that death of ownership is not the same as the death of property — and 
the fact that external limitations can do little to tackle this issue — is most clearly 
shown by the failures of antitrust control over SEP abuses. In order to enter the IoT 
market, companies have to abide by national, regional, and international standards. 
Set by organisations that are heavily influenced by big tech, these standards con- 
tain thousands of patents (e.g. Wi-Fi, Bluetooth, etc.). Without them, it is impos- 
sible to achieve connectivity and interoperability; thus, without access to patented 
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inventions included in standards, smaller businesses cannot enter the market. In 
the IoT there is a variety of players, many of them are not used to the complicated 
negotiations required to obtain the relevant licenses. The situation is worsened by 
the fact that incumbent big IoT companies wait for smaller, new entrants to adopt 
the technology included in the standard and, when the product is launched, sue for 
infringement. Until recent times, these patent holdup practices were often regarded 
as an abuse of dominant position as long as the technology implementer could show 
the willingness to negotiate a licence. However, in recent years, a pro-proprietary 
approach has prevailed, and it has become nearly impossible to escape liability 
and obtain a licence that is actually fair, reasonable, nondiscriminatory. With a 
single-minded focus on the right to property — effectively ignoring the need to bal- 
ance it with competing interests, including freedom of expression and consumer 
protection — the CJEU, the European Commission, and some national courts ignore 
the power imbalance that is exacerbated in the IoT and leave the definition of what 
is fair to party autonomy and good faith. In keeping with the coregulatory trend in 
internet governance, the law provides only a general and flimsy framework, while 
the actual rules are set by private parties, usually unilaterally, by the incumbent, 
typically a big IoT company. My recommendation is that a binding instrument be 
adopted to harmonise patent law in the EU, thereby embracing the willingness to 
negotiate as a more flexible method and clearly defining FRAND terms as opposed 
to leaving the definition of fairness to market dynamics. 

Reflecting back on these years of study of the IoT and its laws, I am left with 
the conviction that, on the one hand, it is possible to interpret the law tactically 
and to reform it to counter the key issues of the IoT; on the other hand, at a 
higher level, the law will never be enough to steer the development of the IoT in a 
human-centric, open, responsible, and socially just direction. This is in line with a 
Marxist theory of law, whose main tenet is the belief that the rule of law is not an 
essential component of social order (‘legal fetishism’) and that it acts as ‘a subtle 
and pervasive ideology which serves to obscure the structures of class domina- 
tion within the State.’!’7 A Marxist legal theory does not deny that the law and its 
reform can help the working classes — including, today, the ‘smart proletariat’ — 
but the fact remains that the law is mainly an instrument of class oppression and it 
can do little to heighten class consciousness.'® Indeed, Marx shone a light on the 
fact the law helps capitalists in preventing workers from understanding their own 
interests and from acting in common.!? I would put forward that where the law 
fails us, the commons may succeed. 
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The concept of ‘commons’ predates Marx, but the underlying idea is cen- 
tral in Marx’s reflection, and the contemporary category is indebted to Marxist 
theory.” Marx’s article on the law on the theft of wood has been the subject 
of recent attention as an important contribution to understanding — and fight- 
ing against — the enclosure of the commons.*! In analysing this law — which 
abruptly privatised the forest of the Rhineland, thus transforming the local 
farmers into thieves — Marx underlined the anxiety of the bourgeois legislator 
about the relation between natural and artificial; the difficulty of a categorical 
distinction reveals a crisis of the labouring subject, and it ultimately reveals 
that all labour is social.?* A popular theory to justify the existence of property 
and IP is based on John Locke’s Of Civil Government”. The Lockean justifica- 
tion is that every person has a right to own property, including IP, because they 
have a right to own their person and, hence, what their body produces through 
labour.*4 Accordingly, individuals who fail to produce value have no claim to 
property. Marx unmasked the Lockean fiction: as in the factory, labour is col- 
lectively organised; if there were any property rights to be derived from this 
form of labouring, they would have to be collective rights. Similarly, Engels 
claimed that it would be in the interests of the proletariat to replace the state 
with the Gemeinwesen,*® which can be translated as commonalty, community, 
and polity.?’ Collectivising the IoT and embracing the commons in this context 
means free and open source, open hardware, open data, open standards, open 
platforms, as well as extralegal collective resistance. 

From an economic point of view, the concept of ‘commons’ refers to nonrival- 
rous and nonexcludable goods or resources.”* Knowledge is a commons as it can 
be the object of collective simultaneous consumption, and one cannot prevent or 
exclude nonpaying consumers from accessing it. From this angle, IP and techno- 
logical protection measures have been invented to render knowledge and informa- 
tion artificially scarce. Thanks to IP, information goods become excludable.”° The 
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economic understanding of the commons is rather narrow and does not account 
for the polysemous nature of the term.*° For example, in her new book Owned, 
An Ethological Jurisprudence of Property,*! Johanna Gibson uses the commons 
as a way to rethink the nature of property and IP as uniquely human. From an 
IoT perspective, the commons are relevant in two senses. First, the commons are 
intrinsically alternative to private and public property: they refer to goods and 
resources that can be collectively used or managed in anticapitalistic and even 
extralegal ways. This is in line with what Engels sees as the only possible solu- 
tion to the problems of the dispossessed. Namely, the dispossessed should realise 
that ‘a revolution by peaceful means is impossible and that only a forcible aboli- 
tion of the existing unnatural conditions, a radical overthrow of the nobility and 
industrial aristocracy, can improve the material position of the proletarians.’*? As 
Luca Nivarra noted, the laws limiting private property — e.g. the mechanisms of 
compulsory purchase or eminent domain — are insufficient to realise a world of 
commons.** These laws can be used tactically, as a support for defences in dis- 
putes brought by property owners. However, a commons-oriented strategy cannot 
rely on such limited tools. The antagonistic potential of the commons can express 
itself only through extralegal action. One can think of the Gezi Park uprisings in 
Turkey, when people resisted the government’s plans to replace the park with a 
shopping centre and collectively organised to ‘reclaim, repurpose, and reimagine 
the park’s space as a venue that belonged to and was used by everyone who spent 
time there, engaging with each other outside capitalist, commercial, or state-led 
governance.’*4 The collective reappropriation of the commons may technically 
be illegal, but this begs the question whether its enclosure was legal in the first 
place: as Marx put it in the Debates on the Law on Thefts of Wood, ‘[y]ou will 
never succeed in making us believe that there is a crime where there is no crime, 
you will only succeed in converting crime itself into a legal act.’3> My call to civic 
engagement — a call for citizens to ‘organise (their) “forces propres” as social 
forces’** to pursue human emancipation and social justice will benefit the law 
itself and the public governance structures that underpin it. Indeed, ‘the state is 
held together by civil life.” Similar examples of collective organising to regain 
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access or control over underused resources, regardless of their legality, abound. 
Even though the commons applies to the tangible and the intangible world, these 
extralegal collective practices of resistance have usually applied to real property, 
not to the immaterial world.** This is partly the result of the practical and theori- 
cal difficulty of conceiving an occupation of an intangible space. I would argue 
that the limited uptake of the commons as a practice of resistance in the world of 
immaterial property is also connected to the evocative power of the traditional 
right to property and the emotional attachments that people tend to have to tan- 
gible property. In a sense, the rematerialisation heralded by the IoT — with its 
return of tangible propertyto the centre of the stage (be it in the form of a cyber- 
physical amalgam) — could provide an unparalleled opportunity for a mobilisation 
that will go beyond the occupation of parks, theatres, and other tangible resources. 
As all the reality that surrounds us becomes networked, the fight may organically 
extend from the land to the network. In the IoT, the commons create opportuni- 
ties for collective forms of resistance. We have seen how a manufacturer of 
smart tractors leveraged the IP on the software and the technological protection 
measures embedded in the machinery to prevent some farmers from repairing 
their tractors. These abuses have led to practices of resistance, such as the illegal 
download of the Ukrainian version of the software to circumvent the IoT master’s 
orders.*! Examples of collective forms of resistance and organisation abound. 
One need only think of Barcelona’s digital plan that revolved around ‘citizen-led 
movements to reclaim’*” the smart city, with the ultimate goal of building a data 
commons. IoT users experiment in new forms of cooperativism, responsible IoT, 
and socialisation of data in a number of ways, many of which revolve around the 
idea of an ‘open’ IoT. 

This leads to a second sense in which the commons the commons are relevant 
from an IoT viewpoint. As Things become commonplace and are routinely used 
even in sensitive domains (healthcare, national security, etc.), it becomes of the 
utmost importance to open the IoT for at least two reasons. First, proprietary ‘black 
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box’ Things are dangerous: openness allows users to regain control over their 
Things, and by underlying interoperability, it makes IoT systems safer. Second, the 
manufacturers of proprietary Things often discontinue security updates or no longer 
support the Thing. One need only think of smart medicine: one should feel confi- 
dent that a medical device implanted in your body will be supported and updated 
throughout one’s lifetime. Therefore, it is imperative to either create Things that 
are open from the get-go or to release the code once the Thing is discontinued. The 
most immediate application of the commons to the IoT is free and open-source 
software. Indeed, at the basis of the information commons, there is ‘an organization 
of the production and distribution of knowledge that ensures open access.’*? The 
victory of the open-access model over the proprietary one depends on a number 
of factors which go beyond the IoT but are here more visible. First, free and open- 
source software has a political, activist dimension aiming at organising bottom-up 
forms of resistance to big tech. However, the rise of pure, open-source software — as 
opposed to free and open — ushers in an era of depoliticised openness. This can be 
seen particularly clearly in the fact that big tech, such as Google and Microsoft, are 
sponsoring numerous open-source projects. These are ways to exploit the allure of 
open source to drive adoption while taming its political potential. Second, as Things 
are an amalgam of software, hardware, service, and data, free and open-source soft- 
ware per se is not enough to achieve an open IoT. We need to open standards, data, 
hardware, and platforms. The ambition of open standards is thwarted by big tech— 
led consortia lobbying standard-developing organisations and becoming effectively 
standard-setting entities themselves. Open data is vital as the long-term impact of 
IoT data is unimaginable. Open data is hard to achieve in context of increasing tech- 
nical and legal secrecy. The Data Governance Act provides some incentives to open 
up data. However, it relies on an individualistic model of governance that ignores the 
interests of those affected by the decisions based on the data altruistically donated.“ 
Preferences around data governance vary as they are political in nature; therefore, 
more participative approaches to the relevant design process should be adopted.*° 
Important open data projects include the European Tracking Network, which inte- 
grates all aquatic animal tracking in Europe (fish tags) in one network. Open 
hardware has been pivotal to the growth of the IoT. One need only think of the 
Arduino boards, whose plans are published under a Creative Commons license. 
Open hardware meets the resistance of all those that see it as a threat to security. 
However, there are a number of promising projects that are making the idea of open 
hardware more widely accepted. An example is provided by the Databox, ‘an 
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open-source personal networked device, augmented by cloud-hosted services’*° 
that mediates access to one’s personal data by audited third-party applications. 
A nonacademic illustration is offered by Arribada, which codevelops open, cus- 
tomisable, and impact-driven conservation technologies. Its open platform pro- 
vides the building blocks necessary to develop low-cost wireless sensors and 
biologging tags. Arribada’s plug-and-play satellite connectivity can be added to 
any Thing, and this openness has enabled a number of green projects ranging 
from the tracking of plastic in the Ganges to avoiding human-elephant conflict 
in India.“ Based on interviews with leaders in the field, it seems clear that the 
security concerns are overstated, but open hardware is still often regarded as not 
commercially attractive, as suggested by the fact that many make open hardware 
but rebrand it as ‘future-proof’ IoT and ‘customisable’ IoT. Finally, the openness 
of platforms is of utmost importance, and this brings us back to the first meaning 
of commons. An example is provided by the collective organisation of Google’s 
employee in June 2020 to fight and end the company’s practice to provide its AI 
to law enforcement agencies,*® despite the visible failures of predictive policing 
and facial recognition, which has often perpetuated and exacerbated racism and 
other forms of discrimination. Finally, the openness of platforms depends on 
various regulatory factors. One the one hand, the rise of monitoring obligations 
epitomised by the upload filter is an incentive for platforms to ‘close’ themselves 
and become more secretive to reduce exposure to liability. On the other hand, 
recently proposed EU legislation is embracing the idea of auditing platforms. 
For example, under the draft Digital Services Act, very large online platforms 
are subject to yearly independent audits to assess compliance with the Act and 
the codes of conduct.’ Similarly, under the proposed AI Act, providers of high- 
risk AI systems are audited to evaluate the maintenance of a quality management 
system that ensures compliance with this Act.°° Audits are likely to be pivotal 
to opening all platforms, including IoT ones. In opening software, hardware, 
standards, data, and platforms, an important role will be played by the design of 
Things. For years now, human-centred design has been the prevalent approach, 
but it has often adopted an individualistic outlook: those who are not the direct 
users of the Thing and the collective interests that could not be linked to a spe- 
cific human being would often be overlooked.>! Against this backdrop, More- 
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Than-Human Design should be preferred as a methodology to design Things 
that take into account the consequences that decrease the well-being of all the 
inhabitants of the relevant natural and social systems. While I would warn of 
the consequences of framing this new design approach as Thing-centred*? or 
Post-Human-Centred™ — as I still believe that human beings, albeit in their col- 
lective dimension, should be the core concern of regulation (including regulation 
‘by design’) — I do think that, especially in a time of climate emergency and 
social unrest, we can no longer afford an individualistic IoT. 

Overall, there are some reasons to remain hopeful that through free and open- 
source software, standards, data, hardware, and platforms, we will one day realise 
the dream of an open and socially just IoT. This is likely to depend more on col- 
lectively organised citizens than on big tech—lobbied governments. Such collec- 
tive forms of organised resistance can be formal or informal. Trade union action 
is a prime example of the former. In December 2020, the Tribunale di Bologna 
upheld the motion of trade union CGIL to consider Deliveroo’s algorithm dis- 
criminatory as it would penalise riders who would be less productive due to sick- 
ness or exercise of the right to strike.°> Equally important are informal forms of 
collective resistance, especially popular in the IoT space. The most famous one 
is the Open Internet of Things Certification Mark. This was a community-led 
project initiated in 2017 by the IoT meetup. It led inter alia to ‘Better IoT, a free, 
accessible, open assessment tool aimed at start-ups and SMEs to help them design 
better-connected products. From talking to one its founders, it appeared clear that 
collective and community-led projects are vital for at least two reasons. first, eth- 
ics is often pushed by professional bodies, but the IoT does not have one; second, 
IoT makers come from diverse background, and if they do not talk to each other, 
there is a risk of reducing responsible innovation to mere issues of security. Some 
initiatives work within the capitalistic horizon, trying to reform the system from 
within. Certification schemes like BCorp*® and Responsible 100,5 as well as the 
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Zebra movement,* are part of this trend. For example, BCorp-certified Mycroft 
has been successful at developing an open, customisable, and private alterna- 
tive to Echo but has since been busy with patent litigation. The most promis- 
ing realities operate through anticapitalistic models. Hubs such as the Platform 
Cooperativism Consortium facilitate the creation of jointly owned and democrati- 
cally controlled enterprises with a commitment to open-source development and 
open data.®° Similary, CoTech is a network of digital worker cooperatives that 
believe that technology can make the world fairer as ‘workers who collectively 
own their companies and control their destinies make better workplaces, better 
suppliers and better digital products.’®! More IoT-specific, the Things Network 
provides a set of open tools and a global, open network to build IoT applications 
that have so far included a range of community projects ranging from cattle track- 
ing to smart irrigation. While IoT cooperatives seem to me the most attractive 
model, they are not the only one and they are not necessarily the best approach in 
every sector and geographical area. Other models include membership associa- 
tions, such as ThingsCon, known for its Trustable Technology certification mark, 
whereby IoT companies undergo an assessment to evaluate if they are developing 
fair, responsible, and human-centric technologies.* ThingsCon also contributes 
through an annual collection of essays to explore the challenges, opportunities, 
and questions surrounding the creation of a responsible IoT.™ Similarly, think 
tank Doteveryone developed TechTransformed — now adopted by the Open Data 
Institute — a set of open practical resources to help organisations be more tech- 
nologically responsible day-to-day.® Another relevant organisational structure is 
the action group; for example, INTEROPen adopts such a model to accelerate the 
development of open standards for interoperability in the health and social care 
sector, while putting commercial interests to one side. Some projects are more 
institutional than others e.g., OpenUK is a not-for-profit company and industry 
advocacy organisation that promotes open software, open hardware, and open 
data while representing the UK in the development of Gaia-X.® The latter is a 
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project to develop a European federated data infrastructure where openness and 
transparency are declared to be central aims. It is unclear how the ultimate goal 
of data sovereignty can be achieved involving US companies closely tied to the 
military and intelligence apparatus, such as Palantir. While most of these initia- 
tives are local, some are international. For instance, openEHR International is the 
nonprofit organisation behind a community-led campaign for e-health, consisting 
of open specifications, clinical models, and software that can be used to create 
standards and build information and interoperability solutions for healthcare. 
During the pandemic, this community released open-source components to assist 
software developers in creating applications to fight COVID-19. 

Upon interviewing some of these projects’ founders, three common threads 
emerged. First, they do not hold much hope that legal interventions will do much 
to improve the IoT, although specific reforms in support of the right to repair, 
corporate transparency, and data control seem to be the top priorities for those 
working in the field. Second, they are convinced that on a level playing field, 
open models would be a winner, and therefore antitrust authorities should do more 
against incumbents that can sell Things at a loss because they monetise sensor 
data in opaque ways. Ensuring a level playing field would also mean preventing 
IoT big tech from externalising costs especially by neglecting the IoT’s sustain- 
ability footprint. Third, perhaps most importantly, what they expect from govern- 
ments is mostly the convinced backing of different ownership and control model 
that have potential to scale and, unlike venture capitalist-backed organisations, 
do not aim for growth. This support can take many forms, from public funding 
through procurement to tax relief. Recommendations for governments include 
the backing of cooperatives with a model to raise investment which is not from a 
venture capitalist, and need-based projects. Instead of more IoT gadgets, Things 
that help people with their basic needs, e.g. food, safe shelter, health. Currently, 
there are nearly 2,000 IoT meetups around the world — a vast number of which is 
in the Global South — with a million and a half active participants. In their collec- 
tive, organised, bottom-up participatory action — not in bourgeois law, not in the 
ethical turn, not in the idea of regulation ‘by design’ — lies the hope for a better, 
human-centric, open, responsible, and socially just IoT. 

Future research should be dedicated to more systematically comprehending the 
convergence between the commons and the IoT, including from queer and black 
perspectives. Queer here means a radical critique of society and culture put for- 
ward by nonnormative, oppressed, and ‘othered’ subjects.” Much of the impact 
of the IoT on the law and on power can be framed as a form of ‘queering,’ as 
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in overcoming and troubling binary representations of the world (good-service, 
human-thing, consumer-worker, etc.) and celebrating forms of power that are 
fluid, both virtual and physical, public and private. Queer theory gives a meaning- 
ful contribution to the understanding of the commons and to activating its political 
potential.”! Queer activism is a resource to be harnessed to imagine, experiment 
with, and enact ‘the improvisational infrastructures necessary for managing the 
unevenness of contemporary existence.’’? Not by accident, Gezi Park — where the 
‘largest and most public performance of commons in the history of the country’? 
took place — was a place where trans and queer people would have clandestine 
sexual encounters. The queer commons intersects with critical race theory and 
Global South voices, which can most notably be seen in the idea of ‘brown com- 
mons’ proposed by queer theorist José Esteban Muñoz: the brown commons is 
‘not about the production of the individual but instead about a movement, a flow, 
and an impulse, to move beyond the singular and individualized subjectivities.’™ 
To queer the laws of the IoT means to rethink them in a way that accommodates 
the non-binary nature of this sociotechnological phenomenon and that incentiv- 
ises bottom-up collective action. Whether this approach will be taken by future 
legislative, regulatory, and jurisprudential innovations — e.g. the proposed Data 
Act,” or the antitrust interventions that will ensue from the Commission’s inquiry 
into consumer IoT’°— will be the subject of close scrutiny. To queer the IoT and its 
laws and to embrace the commons is no easy pursuit, but it is one whereupon the 
future of our society depends. 
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